Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lzsVg6vGuu.ps1

Overview

General Information

Sample name:lzsVg6vGuu.ps1
renamed because original name is a hash value
Original sample name:0e904a68907cdddfb773cfc3a2af790456f928acf00d119afd237e516683d548.ps1
Analysis ID:1517137
MD5:f1d2e68a2a7f4059e127ddf926ab1e0f
SHA1:99a1ac8445d42593ffa8f045e4c1db0dde3e4436
SHA256:0e904a68907cdddfb773cfc3a2af790456f928acf00d119afd237e516683d548
Tags:ps1vecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x691a:$cnc4: POST / HTTP/1.1
    00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x179d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x17a6d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x17b82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x17842:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          3.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6b1a:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.1ef4dfb9820.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.powershell.exe.1ef4dfb9820.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x4d1a:$cnc4: POST / HTTP/1.1
            0.2.powershell.exe.1ef4f947148.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", ProcessId: 6100, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1", ProcessId: 6100, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:17:02.890302+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:13.262535+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:28.012600+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:32.895624+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:42.788822+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:57.570207+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:02.896378+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:05.835422+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:16.445695+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:21.320595+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.734709+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.735193+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.735929+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.909505+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:34.052314+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:42.633437+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:42.728982+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:57.445695+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:58.009437+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:58.585221+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:58.686038+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:02.894844+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:13.444835+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:19.827078+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:19.997862+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:20.289563+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:20.590297+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:29.955772+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:32.901700+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:44.739762+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:45.506963+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:45.596492+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:45.809112+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:46.976077+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:55.851270+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:55.960592+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:56.554292+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:01.710298+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:01.837413+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:01.934573+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:02.030150+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:02.137195+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:02.898948+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:16.804105+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:17.788001+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:17.888032+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:17.983089+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:18.079720+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:18.373436+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:21.788675+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:22.094237+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:24.807048+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:32.896124+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:33.694481+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:33.850554+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:33.946410+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:34.019055+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:34.115840+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:34.285766+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:34.381537+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:39.678887+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:39.850881+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:46.553911+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:49.194485+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:17:13.265142+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:17:28.016932+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:17:42.790701+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:17:57.573319+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:05.837338+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:16.450258+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:21.328716+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:33.912305+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:34.054233+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:42.635418+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:42.731887+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:57.452757+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:58.011375+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:58.592570+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:18:58.687831+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:13.447464+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:19.833327+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:19.999686+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:20.592452+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:29.966673+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:44.939536+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:45.508910+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:45.599087+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:45.811161+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:46.978490+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:55.853504+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:55.962366+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:19:56.557726+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:01.743594+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:01.839679+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:01.936134+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:02.033173+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:02.139218+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:16.806398+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:17.790080+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:17.889528+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:17.984538+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:18.080987+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:18.375288+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:21.790669+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:22.096027+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:24.808726+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:33.697106+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:33.852480+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:33.948391+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.020539+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.159914+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.191926+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.243887+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.287277+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.387228+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.485319+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:34.497326+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:39.680795+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:39.852717+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:46.559325+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              2024-09-24T19:20:49.195310+020028529231Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:17:02.890302+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:17:32.895624+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:02.896378+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.734709+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.735193+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:18:33.735929+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:02.894844+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:19:32.901700+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:02.898948+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              2024-09-24T19:20:32.896124+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.549710TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:19:19.556420+020028531931Malware Command and Control Activity Detected192.168.2.549710191.96.207.18050000TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for submitted file
              Source: lzsVg6vGuu.ps1ReversingLabs: Detection: 18%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: vecotr.viewdns.net
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: 50000
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: <123456789>
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: <Xwormmm>
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: XWorm V5.6
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpackString decryptor: USB.exe
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.5:49710
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.5:49710
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49710 -> 191.96.207.180:50000
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49710 -> 191.96.207.180:50000
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49710 -> 191.96.207.180:50000
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: vecotr.viewdns.net
              Source: global trafficTCP traffic: 192.168.2.5:49710 -> 191.96.207.180:50000
              Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
              Source: powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.2222452936.000001EF4DBF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.2222452936.000001EF4DBF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.1ef4dfb9820.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F381D83_2_02F381D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F355103_2_02F35510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F3BBD83_2_02F3BBD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F3AE983_2_02F3AE98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F35DE03_2_02F35DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F351C83_2_02F351C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F30BA03_2_02F30BA0
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ef4dfb9820.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.evad.winPS1@4/5@2/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\9tfJAPPPhsQ2CIFV
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjux4bn4.0o0.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: lzsVg6vGuu.ps1ReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
              .NET source code contains potential unpacker
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848CC00BD pushad ; iretd 0_2_00007FF848CC00C1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02F37DA0 push eax; iretd 3_2_02F37DA1
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
              Source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4360Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5529Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5205Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4028Thread sleep time: -11068046444225724s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4541945336.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleP
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array3, array3.Length, ref bytesWritten)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer2, 4, ref bytesWritten)
              Source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, PE.csReference to suspicious API methods: x42mfHCtV6jaJIpPla7(Native.VirtualAllocEx, processInformation.ProcessHandle, num6, length, 12288, 64)
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E0C008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4541945336.00000000011CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4f947148.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef66360000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected XWorm
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4dfb9820.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1292, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4f947148.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef66360000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef66360000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4f947148.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected XWorm
              Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4dfb9820.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.1ef4dfb9820.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6100, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1292, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		211
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping121
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		121
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
              Process Injection              		Security Account Manager121
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              lzsVg6vGuu.ps118%ReversingLabsScript-PowerShell.Backdoor.Xworm

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              vecotr.viewdns.net0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              vecotr.viewdns.net
              		191.96.207.180
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                vecotr.viewdns.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000000.00000002.2222452936.000001EF4DBF1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2222452936.000001EF4DBF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000000.00000002.2245378694.000001EF5DD6B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                191.96.207.180
                		vecotr.viewdns.netChile
                		60458ASN-XTUDIONETEStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1517137
                Start date and time:2024-09-24 19:15:46 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 57s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:lzsVg6vGuu.ps1
                renamed because original name is a hash value
                Original Sample Name:0e904a68907cdddfb773cfc3a2af790456f928acf00d119afd237e516683d548.ps1
                Detection:MAL
                Classification:mal100.troj.evad.winPS1@4/5@2/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 19
                • Number of non-executed functions: 2
                Cookbook Comments:
                • Found application associated with file extension: .ps1
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target RegSvcs.exe, PID 1292 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 6100 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: lzsVg6vGuu.ps1

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:16:41API Interceptor41x Sleep call for process: powershell.exe modified
                13:16:56API Interceptor8267706x Sleep call for process: RegSvcs.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                191.96.207.180payload_1.vbsGet hashmaliciousXWormBrowse
                  Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    vecotr.viewdns.netpayload_1.vbsGet hashmaliciousXWormBrowse
                    • 191.96.207.180
                    Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                    • 191.96.207.180

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ASN-XTUDIONETESpayload_1.vbsGet hashmaliciousXWormBrowse
                    • 191.96.207.180
                    Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                    • 191.96.207.180
                    file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                    • 179.61.228.98
                    mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                    • 45.151.195.118
                    arm7.elfGet hashmaliciousMiraiBrowse
                    • 185.37.230.233
                    file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 45.131.83.43
                    emsO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 45.131.83.43
                    22wonl2YIZeR0zX.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 45.131.83.43
                    p29D3FgSJF3zkbt.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 45.131.83.43
                    A7aMlqL4J8HRCLk.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 45.131.83.43

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:NlllulxmH/lZ:NllUg
                    MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                    SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                    SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                    SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:@...e................................. ..............@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjux4bn4.0o0.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvq4xlyl.e44.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6222
                    Entropy (8bit):3.693798205622536
                    Encrypted:false
                    SSDEEP:96:AxOdy5aCbo/kvhkvCCtMi9j9eHXi9j92+Hz:RdyLUMi9Ui9F
                    MD5:E73B3C0BC2D5541655AA602BDD142248
                    SHA1:2BE8881C4542A084308A4F32E87F5AEE6F9CF77E
                    SHA-256:30C3C6D2F2D0D2CE95BF6F9CB6E1C2B7A2B4FE61EE56897E67C8C5F7C576600C
                    SHA-512:4C10B584DF7C36B962A9BEA7F8D5970923776FBAED5ABC99BDACEB3FF3B0C45FBC1E277DC85D0E81DDA305BA1508C791A4A049587C11699FEE385DEDC97EDEC2
                    Malicious:false
                    Preview:...................................FL..................F.".. ...d......O n.....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M...............~.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......DWSl8Y......C.......................R.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y......E......................n..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl8Y......q...........

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B5GHTFVJH0N36ICQZ8FQ.temp

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6222
                    Entropy (8bit):3.693798205622536
                    Encrypted:false
                    SSDEEP:96:AxOdy5aCbo/kvhkvCCtMi9j9eHXi9j92+Hz:RdyLUMi9Ui9F
                    MD5:E73B3C0BC2D5541655AA602BDD142248
                    SHA1:2BE8881C4542A084308A4F32E87F5AEE6F9CF77E
                    SHA-256:30C3C6D2F2D0D2CE95BF6F9CB6E1C2B7A2B4FE61EE56897E67C8C5F7C576600C
                    SHA-512:4C10B584DF7C36B962A9BEA7F8D5970923776FBAED5ABC99BDACEB3FF3B0C45FBC1E277DC85D0E81DDA305BA1508C791A4A049587C11699FEE385DEDC97EDEC2
                    Malicious:false
                    Preview:...................................FL..................F.".. ...d......O n.....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M...............~.........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl8Y......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......DWSl8Y......C.......................R.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl8Y......D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl8Y......E......................n..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl8Y......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl8Y......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl8Y......q...........

                    Static File Info

                    General

                    File type:ASCII text, with very long lines (65529)
                    Entropy (8bit):3.1236722012388327
                    TrID:
                      File name:lzsVg6vGuu.ps1
                      File size:329'750 bytes
                      MD5:f1d2e68a2a7f4059e127ddf926ab1e0f
                      SHA1:99a1ac8445d42593ffa8f045e4c1db0dde3e4436
                      SHA256:0e904a68907cdddfb773cfc3a2af790456f928acf00d119afd237e516683d548
                      SHA512:acb6084892bf6ee465fb4f37e1e47e86c971568e06194a75c2870bca8e3ae92cadc178f110fc2de221fb7e155cf8715328556ee38a032846539cd2a8f6c6fb0f
                      SSDEEP:3072:5L3D5WXtWVH44LhC8z60U4h3mSOQTUfWwLC5ImBK5W9Fp81fABAUvetcTnZ/:l5W0H44LhC8bTUOwqYyfb1
                      TLSH:2F64CC898537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF379C1A25D50589FBDDA1
                      File Content Preview:try.{..$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54_68

                      File Icon

                      Icon Hash:3270d6baae77db44

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-24T19:17:02.890302+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:02.890302+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:13.053372+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:17:13.262535+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:13.265142+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:17:28.012600+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:28.016932+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:17:32.895624+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:32.895624+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:42.788822+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:42.790701+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:17:57.570207+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:17:57.573319+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:02.896378+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:02.896378+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:05.835422+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:05.837338+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:16.445695+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:16.450258+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:21.320595+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:21.328716+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:33.734709+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.734709+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.735193+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.735193+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.735929+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.735929+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.909505+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:33.912305+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:34.052314+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:34.054233+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:42.633437+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:42.635418+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:42.728982+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:42.731887+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:57.445695+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:57.452757+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:58.009437+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:58.011375+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:58.585221+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:58.592570+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:18:58.686038+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:18:58.687831+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:02.894844+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:02.894844+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:13.444835+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:13.447464+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:19.556420+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:19.827078+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:19.833327+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:19.997862+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:19.999686+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:20.289563+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:20.590297+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:20.592452+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:29.955772+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:29.966673+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:32.901700+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:32.901700+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:44.739762+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:44.939536+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:45.506963+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:45.508910+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:45.596492+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:45.599087+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:45.809112+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:45.811161+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:46.976077+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:46.978490+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:55.851270+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:55.853504+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:55.960592+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:55.962366+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:19:56.554292+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:19:56.557726+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:01.710298+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:01.743594+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:01.837413+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:01.839679+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:01.934573+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:01.936134+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:02.030150+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:02.033173+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:02.137195+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:02.139218+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:02.898948+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:02.898948+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:16.804105+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:16.806398+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:17.788001+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:17.790080+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:17.888032+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:17.889528+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:17.983089+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:17.984538+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:18.079720+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:18.080987+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:18.373436+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:18.375288+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:21.788675+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:21.790669+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:22.094237+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:22.096027+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:24.807048+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:24.808726+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:32.896124+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:32.896124+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:33.694481+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:33.697106+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:33.850554+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:33.852480+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:33.946410+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:33.948391+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.019055+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:34.020539+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.115840+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:34.159914+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.191926+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.243887+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.285766+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:34.287277+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.381537+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:34.387228+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.485319+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:34.497326+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:39.678887+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:39.680795+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:39.850881+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:39.852717+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:46.553911+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:46.559325+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP
                      2024-09-24T19:20:49.194485+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.549710TCP
                      2024-09-24T19:20:49.195310+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549710191.96.207.18050000TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 24, 2024 19:16:57.850867033 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:16:57.855873108 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:16:57.856209993 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:16:58.273914099 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:16:58.278986931 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:02.890301943 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:02.940969944 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:13.053371906 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:13.091485023 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:13.262535095 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:13.265141964 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:13.270215988 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:27.832108974 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:27.839899063 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:28.012599945 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:28.016932011 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:28.022499084 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:32.895623922 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:32.940926075 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:42.613507032 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:42.618483067 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:42.788821936 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:42.790700912 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:42.795583010 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:57.394292116 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:57.399291039 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:57.570207119 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:17:57.573318958 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:17:57.578737020 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:02.896378040 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:02.940798998 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:05.659962893 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:05.665091991 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:05.835422039 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:05.837337971 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:05.842211008 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:16.269277096 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:16.274543047 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:16.445694923 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:16.450258017 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:16.455199957 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:21.144193888 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:21.149152040 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:21.320595026 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:21.328716040 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:21.333565950 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.175445080 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:33.487646103 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:33.734709024 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.735193014 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.735240936 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:33.735929012 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.735970020 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:33.739032030 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.739046097 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.909504890 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:33.912305117 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:33.920891047 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:34.052314043 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:34.054233074 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:34.059077978 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.456552029 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:42.461534023 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.487832069 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:42.492676973 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.633436918 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.635417938 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:42.640377045 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.728981972 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:42.731887102 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:42.736711979 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:57.270348072 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:57.275348902 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:57.445694923 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:57.452756882 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:57.457621098 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:57.834243059 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:57.839108944 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.009437084 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.011374950 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:58.016315937 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.409694910 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:58.414729118 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.487950087 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:58.492949963 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.585221052 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.592570066 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:58.597508907 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.686038017 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:18:58.687830925 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:18:58.692749977 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:02.894844055 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:03.003213882 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:13.269009113 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:13.274036884 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:13.444834948 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:13.447463989 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:13.452331066 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.519398928 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:19.556364059 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.556420088 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:19.827078104 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.833256006 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.833327055 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:19.851351023 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.997862101 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:19.999686003 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:20.289562941 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:20.289618015 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:20.290908098 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:20.290954113 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:20.314768076 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:20.590296984 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:20.592452049 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:20.597517967 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:29.769361019 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:29.774525881 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:29.955771923 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:29.966672897 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:29.983800888 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:32.901700020 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:32.956216097 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:44.564434052 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:44.569359064 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:44.739762068 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:44.784320116 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:44.939536095 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:44.944439888 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.331595898 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.336606979 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.362848043 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.367917061 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.506963015 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.508909941 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.513803005 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.521774054 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.526761055 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.596492052 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.599087000 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.604861021 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.809112072 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:45.811161041 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:45.817090988 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:46.628357887 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:46.633934975 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:46.976077080 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:46.978490114 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:46.984675884 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.675597906 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:55.680533886 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.784989119 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:55.790052891 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.851269960 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.853503942 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:55.858371019 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.960592031 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:55.962366104 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:55.967257977 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:56.378388882 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:56.383373022 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:56.554291964 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:19:56.557725906 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:19:56.562649965 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.534854889 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.539753914 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.612967968 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.617944956 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.659714937 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.665183067 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.675462961 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.680283070 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.710298061 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.743593931 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.791899920 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.837413073 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.839679003 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.844568968 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.847462893 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.852298975 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.934572935 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:01.936134100 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:01.941050053 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.030149937 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.033173084 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:02.038283110 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.137195110 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.139218092 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:02.144130945 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.898947954 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:02.957313061 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:16.628232002 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:16.633155107 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:16.804105043 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:16.806397915 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:16.811413050 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.612761974 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.617793083 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.644051075 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.649148941 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.722193956 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.727143049 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.753381968 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.758296013 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.788001060 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.790080070 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.839904070 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.888031960 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.889528036 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.894480944 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.983088970 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:17.984538078 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:17.989924908 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:18.079720020 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:18.080986977 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:18.086817980 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:18.086894035 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:18.092509031 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:18.373435974 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:18.375288010 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:18.380206108 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:21.612735987 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:21.617741108 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:21.788675070 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:21.790668964 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:21.795629978 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:21.862692118 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:21.867567062 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:22.094237089 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:22.096026897 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:22.101102114 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:24.631361008 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:24.636801004 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:24.807048082 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:24.808726072 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:24.813544989 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:32.896123886 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:32.943290949 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.518990993 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.525235891 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.675076008 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.680018902 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.694480896 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.697105885 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.744060040 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.744106054 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.748882055 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.800128937 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.804939032 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.831406116 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.836261988 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.850553989 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.852479935 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.903800964 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.903846025 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.908675909 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.909552097 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.914374113 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.925245047 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.930206060 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.946409941 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:33.948390961 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:33.995769024 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.019054890 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.020539045 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.025588036 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.034583092 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.039428949 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.097038984 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.101975918 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.112732887 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.115839958 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.159353971 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.159813881 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.159914017 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.164829969 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.190515041 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.191926003 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.243771076 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.243886948 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.248728991 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.285765886 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.287276983 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.339831114 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.381536961 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.387228012 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.392102003 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.480830908 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.485318899 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.490259886 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:34.497325897 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:34.502229929 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.503525019 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:39.508424997 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.675163984 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:39.678886890 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.680072069 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.680794954 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:39.685652971 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.850881100 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:39.852716923 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:39.857618093 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:46.378247023 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:46.383269072 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:46.553910971 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:46.559324980 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:46.564207077 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:49.019033909 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:49.023974895 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:49.194484949 CEST5000049710191.96.207.180192.168.2.5
                      Sep 24, 2024 19:20:49.195310116 CEST4971050000192.168.2.5191.96.207.180
                      Sep 24, 2024 19:20:49.203459978 CEST5000049710191.96.207.180192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 24, 2024 19:16:57.808954954 CEST5830953192.168.2.51.1.1.1
                      Sep 24, 2024 19:16:57.822468996 CEST53583091.1.1.1192.168.2.5
                      Sep 24, 2024 19:17:09.910823107 CEST5929253192.168.2.51.1.1.1
                      Sep 24, 2024 19:17:10.211461067 CEST53592921.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 24, 2024 19:16:57.808954954 CEST192.168.2.51.1.1.10x4d74Standard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false
                      Sep 24, 2024 19:17:09.910823107 CEST192.168.2.51.1.1.10xf5baStandard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 24, 2024 19:16:57.822468996 CEST1.1.1.1192.168.2.50x4d74No error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false
                      Sep 24, 2024 19:17:10.211461067 CEST1.1.1.1192.168.2.50xf5baNo error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:16:39
                      Start date:24/09/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\lzsVg6vGuu.ps1"
                      Imagebase:0x7ff7be880000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2257804729.000001EF66360000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2222452936.000001EF4FCF4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2222452936.000001EF4DE18000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2222452936.000001EF4F615000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:1
                      Start time:13:16:39
                      Start date:24/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:13:16:53
                      Start date:24/09/2024
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Imagebase:0xc00000
                      File size:45'984 bytes
                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4541636424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4544033567.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:false

                      Disassembly

                      Reset < >

                        Executed Functions

                        Function 00007FF848CC41FA Relevance: 1.8, Strings: 1, Instructions: 520COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2258575636.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848cc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID: 9Q_H
                        • API String ID: 0-2218632329
                        • Opcode ID: 08a190781204e5a353f9bd9eae803b62f06f46ec273b1268435a5833602b97e0
                        • Instruction ID: 4750799a9c1b01495b05c97b8920709560f1ecf354a5e9af09a8fffa949bd9b7
                        • Opcode Fuzzy Hash: 08a190781204e5a353f9bd9eae803b62f06f46ec273b1268435a5833602b97e0
                        • Instruction Fuzzy Hash: FDE14671A1CA494FE789EB2CC495AB5B7E1FFA5390F1440BDD08AC729BDB25E842C740
                        Function 00007FF848D9136B Relevance: .4, Instructions: 350COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2259095940.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848d90000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 711c3e1a61dbfe38995ccdcc2c269d15b5daf00748e791976356d0ee8af0a323
                        • Instruction ID: 7dcfe2b7a1401a684e56a61651de27cac9be50b861d71e098015fd49d397b71a
                        • Opcode Fuzzy Hash: 711c3e1a61dbfe38995ccdcc2c269d15b5daf00748e791976356d0ee8af0a323
                        • Instruction Fuzzy Hash: 4CB10631D0EA8A8FEB99EB2884556787BF1FF59354F1400BEC049C7283DB29AC4AC745
                        Function 00007FF848D91331 Relevance: .3, Instructions: 343COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2259095940.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848d90000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb3cf7862a40f7dcf746980f3c4a7be58173a8db00dfbce122d998b19585c118
                        • Instruction ID: 5a6d045fa6c39de8771f75117d0c0ae54f2ea55cc7244b07a00e0290d55c4a81
                        • Opcode Fuzzy Hash: fb3cf7862a40f7dcf746980f3c4a7be58173a8db00dfbce122d998b19585c118
                        • Instruction Fuzzy Hash: 1AB1E431D0EA868FEB99EB2844556787BF1FF5A354F1800BEC049C7183DB2DAC4A8355
                        Function 00007FF848D91868 Relevance: .3, Instructions: 286COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2259095940.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848d90000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b8dcdc24f8c025acace895f275fb58ce77a7ac9359bf85ec2ffe160fa58c844
                        • Instruction ID: a6ee9ebb6b34ac4558ffe033dd57e16c9255bdf8725cd8fc124470a16422c616
                        • Opcode Fuzzy Hash: 2b8dcdc24f8c025acace895f275fb58ce77a7ac9359bf85ec2ffe160fa58c844
                        • Instruction Fuzzy Hash: D4811631E1EA4A5FEFA8EA2C54497B577D1EF596A4F44017AD40DC3286DF18DC0A8348
                        Function 00007FF848D91966 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2259095940.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848d90000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f20f07213a09705b87381d5e1bd1dc2afd018fccf0fbeb341b58de028e3a5ec8
                        • Instruction ID: 423a9683ea18bc26c8face68a89412185687c1f535f43f48c92125625d0c94b4
                        • Opcode Fuzzy Hash: f20f07213a09705b87381d5e1bd1dc2afd018fccf0fbeb341b58de028e3a5ec8
                        • Instruction Fuzzy Hash: BB112B21F0F9472FFAA9A61C14153B866C1DF896A4F4801BAD50DC32C7DF0C9C0A4249
                        Function 00007FF848CC39B5 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2258575636.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848cc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                        • Instruction ID: f5dc9cb87347d6f47aea471b20dc5e68f851ecf4e8431f00d0b23fe69d49979b
                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                        • Instruction Fuzzy Hash: 9701677111CB0C4FD784EF0CE451AA5B7E0FB95364F10056DE58AC3651D736E882CB45
                        Function 00007FF848CCC0F5 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2258575636.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848cc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d52f49a773e52d2b9c040cdb0b64f8fec384cfd10ac1f052530745094b7063e8
                        • Instruction ID: 1826c3f307ed53a90f384e3ed1fa44d9178c9b71d51d4fa98d40f2243c5634c4
                        • Opcode Fuzzy Hash: d52f49a773e52d2b9c040cdb0b64f8fec384cfd10ac1f052530745094b7063e8
                        • Instruction Fuzzy Hash: F0010C71908A4C9FDF84EF18C859AE97BE0FF68305F4541AAE409C7161DB35A594CB81
                        Function 00007FF848D926F0 Relevance: .0, Instructions: 48COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2259095940.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848d90000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25b71d6078911e45c6a724534d11fa4a29580b355059f878b8bd7ccda6964df0
                        • Instruction ID: 571f65b765fdffa2c5a6e1a067e424f599b76d43c68a48e63133378a95e5e91f
                        • Opcode Fuzzy Hash: 25b71d6078911e45c6a724534d11fa4a29580b355059f878b8bd7ccda6964df0
                        • Instruction Fuzzy Hash: 17F0F672B0DA084FEB48DE1C98461BAB7D2EB99126B01017FD04FC3562DB21D8068304
                        Function 00007FF848CCC110 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2258575636.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848cc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 953c40ce908ddab8d19af83db4460989b9116b9b53d88e65f918ca8103bd21e7
                        • Instruction ID: 6b0bdd227f9a83b9a40e2c729a4e70e119629c04c46def9e6b35ea447b469e8a
                        • Opcode Fuzzy Hash: 953c40ce908ddab8d19af83db4460989b9116b9b53d88e65f918ca8103bd21e7
                        • Instruction Fuzzy Hash: 22F0C930914A4C9FDF84EF58C449AE97BE0FB68305F40456AA40DD3250DB31A594CB81
                        Function 00007FF848CCC780 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2258575636.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ff848cc0000_powershell.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 40eb9d7877e0113948a19041b3a028a9e562d8a1e62c69ec7eb5b81a4d41b5f4
                        • Instruction ID: 43a81b1740f67063f4c810b20a99f69cbdd97942d599b3507c7fe99af2613676
                        • Opcode Fuzzy Hash: 40eb9d7877e0113948a19041b3a028a9e562d8a1e62c69ec7eb5b81a4d41b5f4
                        • Instruction Fuzzy Hash: BCF0C260C1E2879FE3C6FAA444292B876E1AF112A4F4800FDD049871D3DA1C0885CB1A

                        Executed Functions

                        Function 02F3BBD8 Relevance: 12.2, Strings: 9, Instructions: 914COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: (ojq$(ojq$(ojq$(ojq$(ojq$(ojq$(ojq$,nq$,nq
                        • API String ID: 0-2862514371
                        • Opcode ID: 0a49eb431bcd9ba073316ad696aae5e398f632878696b1bebe86902110d06244
                        • Instruction ID: 075e8b2b19643e47124543e70dab955ebb7c4e0d098fa050f73f1d3b3c5f282d
                        • Opcode Fuzzy Hash: 0a49eb431bcd9ba073316ad696aae5e398f632878696b1bebe86902110d06244
                        • Instruction Fuzzy Hash: AF825E35A00209DFCB16CF68D984AAEBBF2FF48354F15855AE906EB261DB30ED41CB50
                        Function 02F3AE98 Relevance: 8.4, Strings: 6, Instructions: 896COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: (ojq$(ojq$(ojq$,nq$,nq$Hnq
                        • API String ID: 0-2901307771
                        • Opcode ID: 2ac09fbfef2bff2f2c152a678267f02f901cc2ca7e14f256c8d52cba1dbe32f2
                        • Instruction ID: bdb480a9827d1ea4915afd13d16fd6ae1ac6fdf1c8ec3d3bc0b568a54d57fd68
                        • Opcode Fuzzy Hash: 2ac09fbfef2bff2f2c152a678267f02f901cc2ca7e14f256c8d52cba1dbe32f2
                        • Instruction Fuzzy Hash: 8E727E71A002199FCB15CF69C9A4BAEBBF6BF88354F148169E505AB3A5DB30DC41CB90
                        Function 02F381D8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: LRjq$Xnq
                        • API String ID: 0-2260927890
                        • Opcode ID: 5ee420e59283c079b95f727fc4032506b65912534af9037fdfc0f749274dc9e7
                        • Instruction ID: 75f7ef9947e3307fae21d19baa1b21cf7c2ada42a1c95a78a11bb2b0d852506f
                        • Opcode Fuzzy Hash: 5ee420e59283c079b95f727fc4032506b65912534af9037fdfc0f749274dc9e7
                        • Instruction Fuzzy Hash: 74C1C471F00219CBCF594FA5D4542AEBEB7BFC87A0F294919E542A2288CF38CC41CB65
                        Function 02F35510 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: \V|o
                        • API String ID: 0-2519299895
                        • Opcode ID: 905834b18d689acc6be4d601254e15e5fb00160000b2da945bb95131dfdbd63c
                        • Instruction ID: 84028f210ebae1917a59e6c29a398f6b7d48334d27e91a6a1ca65909d27a7e8b
                        • Opcode Fuzzy Hash: 905834b18d689acc6be4d601254e15e5fb00160000b2da945bb95131dfdbd63c
                        • Instruction Fuzzy Hash: B6B17B71E00209CFDF11CFA9C985BAEBBF2AF88354F548129D915EB294EB749845CF81
                        Function 02F35DE0 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18d55084cb43e16e36324e73a7efd4b0171cd93fac637c8a8e1023f8792821a4
                        • Instruction ID: 73d1ceec24e2375e4c785c29f7e246b7b4ac8b9c3c378b9053054f1023d3dc3a
                        • Opcode Fuzzy Hash: 18d55084cb43e16e36324e73a7efd4b0171cd93fac637c8a8e1023f8792821a4
                        • Instruction Fuzzy Hash: 37B18FB0E00209DFDB11CFA9C9817ADBBF2AF88754F148529E515EB294EB749881CF85
                        Function 02F37784 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                        Download Yara Rule
                        APIs
                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02F37E3A), ref: 02F37F27
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID: GlobalMemoryStatus
                        • String ID:
                        • API String ID: 1890195054-0
                        • Opcode ID: d123ab9aaa6d918f40decad16b481f70b917eb77b5bffdaacca188a5693a7fef
                        • Instruction ID: 776cf54957cc3ee479c6d031a25b97698a6d0d6c46da9a98987b4774fac12b5a
                        • Opcode Fuzzy Hash: d123ab9aaa6d918f40decad16b481f70b917eb77b5bffdaacca188a5693a7fef
                        • Instruction Fuzzy Hash: 7911F2B1C006599BCB10DF9AC544B9EFBF4BF48310F10816AE918B7240D378A940CFE5
                        Function 02F37EBA Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                        Download Yara Rule
                        APIs
                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02F37E3A), ref: 02F37F27
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID: GlobalMemoryStatus
                        • String ID:
                        • API String ID: 1890195054-0
                        • Opcode ID: fb5bf9ac988042263b1c2d4d4af6ec85cd071d7d32770c04d66961963f1279b6
                        • Instruction ID: 1b557949de59cce1acd3ca378a58a2869c6a5e845b2516905f9031d78267480d
                        • Opcode Fuzzy Hash: fb5bf9ac988042263b1c2d4d4af6ec85cd071d7d32770c04d66961963f1279b6
                        • Instruction Fuzzy Hash: 8A1100B1C006599BCB10DFAAD544BDEFBB4BF48320F14816AE918B7240D778A941CFE5
                        Function 012ED400 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543369304.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_12ed000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 938d7ec79c69559a0908160215047a564abfcb3de9b11f994af72fd5af0edb21
                        • Instruction ID: 79b8850b1f6582a07cb05dfce90acffb3cd4621651f47bde90b5758b3449184c
                        • Opcode Fuzzy Hash: 938d7ec79c69559a0908160215047a564abfcb3de9b11f994af72fd5af0edb21
                        • Instruction Fuzzy Hash: A1214571510208DFCB05DF58D9C8F66BFA5FBA8310F60C169EA090B256C33AE406C7A1
                        Function 012ED3FB Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543369304.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_12ed000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction ID: e366da68b4e0cd116572272774e633331f321fff3aa000b76ebcf6661c3f2e8b
                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                        • Instruction Fuzzy Hash: 5611E176404244CFCB12CF54D5C8B56BFB1FB94320F24C5A9D9090B257C33AE45ACBA2

                        Non-executed Functions

                        Function 02F30BA0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: Xnq$$jq
                        • API String ID: 0-65531410
                        • Opcode ID: 72833a9a3a55aa4324842515e5c8851b5290263ca777ffaced6def792128f2de
                        • Instruction ID: b12e1869d1f161e8036597a813984f5400f956025149487f36112a053e1468c7
                        • Opcode Fuzzy Hash: 72833a9a3a55aa4324842515e5c8851b5290263ca777ffaced6def792128f2de
                        • Instruction Fuzzy Hash: CB81A031F042189BCB19AF78986467EBBB7BFC8750B15892ED517E7388CE34C8428791
                        Function 02F351C8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4543909769.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_2f30000_RegSvcs.jbxd
                        Similarity
                        • API ID:
                        • String ID: \V|o
                        • API String ID: 0-2519299895
                        • Opcode ID: 2f5718aeb9bf4b2d0efedc82606e0121b36e3a7ca8dd116da72d79f41c769927
                        • Instruction ID: 9e32b1d24850cc0caeb4f0ee76b66d73b0f871ad82988ff057d9504cae13a55a
                        • Opcode Fuzzy Hash: 2f5718aeb9bf4b2d0efedc82606e0121b36e3a7ca8dd116da72d79f41c769927
                        • Instruction Fuzzy Hash: 5A917CB0E00209DFDF15CFA9CA8079EBBF2BF88354F548129E515AB294EB749845CF81