Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7lFbTUxX9m.ps1

Overview

General Information

Sample name:7lFbTUxX9m.ps1
renamed because original name is a hash value
Original sample name:1f7bf8f9a0f91111c6faab1ebe64eacf37bfb4a0f74b202c2913823ca16d5dee.ps1
Analysis ID:1517138
MD5:313fe862097db895f07eaccaed97299f
SHA1:028a697a8f5fcbb5f5a4e98ba03ecf41b23a5026
SHA256:1f7bf8f9a0f91111c6faab1ebe64eacf37bfb4a0f74b202c2913823ca16d5dee
Tags:ps1vecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1a9498:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1a9535:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1a964a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1a930a:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.powershell.exe.247d2d56d30.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          2.2.powershell.exe.247d14497f0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            2.2.powershell.exe.247d14497f0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x4d1a:$cnc4: POST / HTTP/1.1
            8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              8.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x6b1a:$cnc4: POST / HTTP/1.1
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", ProcessId: 4296, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1", ProcessId: 4296, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:18:31.776906+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:33.734692+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:33.735135+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:33.735883+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:46.152702+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:00.522731+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:02.894055+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:14.914093+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:24.212726+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:24.372070+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:24.466327+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:29.948294+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:30.283181+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:30.420542+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:30.544763+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:30.566294+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:32.901007+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:40.577972+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:54.913532+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:02.899152+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:04.179982+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:06.477145+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:16.309110+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:17.257351+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:17.366659+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:20.367211+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:25.946110+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:26.260591+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:26.357910+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:27.961052+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:32.895500+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:33.116373+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:33.204005+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:34.882476+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:35.554959+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:38.244041+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:43.507838+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:43.807724+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:58.309492+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:02.893411+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:03.233658+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:12.522720+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:14.928631+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:18.929074+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:20.101025+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:21.761398+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:30.808612+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:32.899607+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:45.179910+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:46.632316+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:55.477978+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:18:32.112066+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:18:46.155050+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:00.530112+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:14.918477+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:24.214743+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:24.373669+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:24.470512+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:29.952271+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:30.284917+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:30.422266+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:30.546572+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:30.571137+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:40.585687+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:19:54.915595+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:04.181856+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:06.479328+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:16.381311+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:17.258782+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:17.368243+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:20.370629+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:25.950756+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:26.263402+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:26.359611+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:27.962508+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:33.117845+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:33.206099+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:34.884405+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:35.568559+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:38.245797+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:43.510052+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:43.811075+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:20:58.311623+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:12.524616+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:14.933266+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:18.935818+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:20.102769+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:21.762996+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:30.811142+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:45.181622+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:46.634188+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              2024-09-24T19:21:55.478895+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:18:33.734692+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:33.735135+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:18:33.735883+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:02.894055+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:19:32.901007+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:02.899152+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:20:32.895500+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:02.893411+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:03.233658+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              2024-09-24T19:21:32.899607+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-24T19:20:25.770060+020028531931Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for submitted file
              Source: 7lFbTUxX9m.ps1ReversingLabs: Detection: 23%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Sample uses string decryption to hide its real strings
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: vecotr.viewdns.net
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: 50000
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: <123456789>
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: <Xwormmm>
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: XWorm V5.6
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpackString decryptor: USB.exe
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49709 -> 191.96.207.180:50000
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.8:49709
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49709 -> 191.96.207.180:50000
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.8:49709
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49709 -> 191.96.207.180:50000
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: vecotr.viewdns.net
              Source: global trafficTCP traffic: 192.168.2.8:49709 -> 191.96.207.180:50000
              Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
              Source: powershell.exe, 00000002.00000002.1981959758.00000247E920D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1950283409.00000247D1081000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4147288902.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1950283409.00000247D1081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.powershell.exe.247d14497f0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B16A0B22_2_00007FFB4B16A0B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032AB2B88_2_032AB2B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A81D88_2_032A81D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A55108_2_032A5510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032ABFF88_2_032ABFF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A5DE08_2_032A5DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A51C88_2_032A51C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A0BA08_2_032A0BA0
              Source: 2.2.powershell.exe.247d14497f0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.evad.winPS1@4/6@1/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\FxwhhRft8tFCNpWd
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qitkjwak.5ze.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: 7lFbTUxX9m.ps1ReversingLabs: Detection: 23%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032AB200 push es; ret 8_2_032AB210
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_032A7DA0 push eax; iretd 8_2_032A7DA1
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
              Source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4305Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5581Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3663Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6159Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep time: -15679732462653109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: RegSvcs.exe, 00000008.00000002.4143985479.0000000001520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array3, array3.Length, ref bytesWritten)
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer2, 4, ref bytesWritten)
              Source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, PE.csReference to suspicious API methods: x42mfHCtV6jaJIpPla7(Native.VirtualAllocEx, processInformation.ProcessHandle, num6, length, 12288, 64)
              Source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10F2008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 2.2.powershell.exe.247d2d56d30.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247e93c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected XWorm
              Source: Yara matchFile source: 2.2.powershell.exe.247d14497f0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4147288902.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1772, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 2.2.powershell.exe.247d2d56d30.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247e93c0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247d2d56d30.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247e93c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected XWorm
              Source: Yara matchFile source: 2.2.powershell.exe.247d14497f0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.247d14497f0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4147288902.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1772, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		211
              Process Injection              		1
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)121
              Virtualization/Sandbox Evasion              		Security Account Manager121
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7lFbTUxX9m.ps124%ReversingLabsScript-PowerShell.Backdoor.Xworm

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              vecotr.viewdns.net0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://crl.v0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              vecotr.viewdns.net
              		191.96.207.180
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                vecotr.viewdns.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000002.00000002.1950283409.00000247D1081000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1950283409.00000247D1081000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4147288902.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.vpowershell.exe, 00000002.00000002.1981959758.00000247E920D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000002.00000002.1969861347.00000247E11F4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                191.96.207.180
                		vecotr.viewdns.netChile
                		60458ASN-XTUDIONETEStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1517138
                Start date and time:2024-09-24 19:16:25 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 26s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:7lFbTUxX9m.ps1
                renamed because original name is a hash value
                Original Sample Name:1f7bf8f9a0f91111c6faab1ebe64eacf37bfb4a0f74b202c2913823ca16d5dee.ps1
                Detection:MAL
                Classification:mal100.troj.evad.winPS1@4/6@1/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 15
                • Number of non-executed functions: 1
                Cookbook Comments:
                • Found application associated with file extension: .ps1
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target RegSvcs.exe, PID 1772 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: 7lFbTUxX9m.ps1

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:17:59API Interceptor39x Sleep call for process: powershell.exe modified
                13:18:15API Interceptor7440624x Sleep call for process: RegSvcs.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                191.96.207.180XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                  lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                    payload_1.vbsGet hashmaliciousXWormBrowse
                      Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        vecotr.viewdns.netXeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                        • 191.96.207.180
                        lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                        • 191.96.207.180
                        payload_1.vbsGet hashmaliciousXWormBrowse
                        • 191.96.207.180
                        Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                        • 191.96.207.180

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ASN-XTUDIONETESXeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                        • 191.96.207.180
                        lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                        • 191.96.207.180
                        payload_1.vbsGet hashmaliciousXWormBrowse
                        • 191.96.207.180
                        Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                        • 191.96.207.180
                        file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                        • 179.61.228.98
                        mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                        • 45.151.195.118
                        arm7.elfGet hashmaliciousMiraiBrowse
                        • 185.37.230.233
                        file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 45.131.83.43
                        emsO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 45.131.83.43
                        22wonl2YIZeR0zX.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 45.131.83.43

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):9434
                        Entropy (8bit):4.928515784730612
                        Encrypted:false
                        SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                        MD5:D3594118838EF8580975DDA877E44DEB
                        SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                        SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                        SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:NllluljjElz:NllUE
                        MD5:11E11881DB10CF040A1189171FFA58F4
                        SHA1:FA0557B00771F196EF84B8274DCF7D079278811D
                        SHA-256:2060C23CA036F0750DFC90E1C6D5374136E9D90262F6D125FC39BF72F75727A8
                        SHA-512:C4762CDBE3A3AEDD00383855E5F4DF838B053199FC721F1600371ED177B37F8FE1C0983BC05F8CA940568034E2C66F67C586950A23E5032FED4F9A985A71BD73
                        Malicious:false
                        Reputation:low
                        Preview:@...e.................................r.!............@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qitkjwak.5ze.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wscdnfu5.ycl.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):6222
                        Entropy (8bit):3.7308653679509995
                        Encrypted:false
                        SSDEEP:96:5e9CXP8EkvhkvCCtVBWutzsHp+WutzgHp+:5eiPHVBfy+fm+
                        MD5:1F65872DC9AC8FD1BBBB1B3887F944E5
                        SHA1:B4811571E5E19BA65B9BC2F931156F39A1AAC457
                        SHA-256:14DDFBD95564AC533FEBF54A46EB3C84870D61B4569D24A4B6B0D2C545C8E477
                        SHA-512:5829274F03B2F47B3256C6BF0522FBE392941477B50042AF6386E2235F8FA3E566AFC07A880456A0BA045BDC3C3180C7FD1659FAEF547A9259ED9DE8B9643374
                        Malicious:false
                        Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...<i.......U|.........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B8Y5...........................d...A.p.p.D.a.t.a...B.V.1.....8Y*...Roaming.@......EW)B8Y*...........................U]0.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B8Y&............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B8Y&..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B8Y&.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B8Y&.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B8Y:......0..........

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PE4PKYK3L29P2XP9WUHY.temp

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):6222
                        Entropy (8bit):3.7308653679509995
                        Encrypted:false
                        SSDEEP:96:5e9CXP8EkvhkvCCtVBWutzsHp+WutzgHp+:5eiPHVBfy+fm+
                        MD5:1F65872DC9AC8FD1BBBB1B3887F944E5
                        SHA1:B4811571E5E19BA65B9BC2F931156F39A1AAC457
                        SHA-256:14DDFBD95564AC533FEBF54A46EB3C84870D61B4569D24A4B6B0D2C545C8E477
                        SHA-512:5829274F03B2F47B3256C6BF0522FBE392941477B50042AF6386E2235F8FA3E566AFC07A880456A0BA045BDC3C3180C7FD1659FAEF547A9259ED9DE8B9643374
                        Malicious:false
                        Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...<i.......U|.........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B8Y5...........................d...A.p.p.D.a.t.a...B.V.1.....8Y*...Roaming.@......EW)B8Y*...........................U]0.R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B8Y&............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B8Y&..............................W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B8Y&.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B8Y&.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B8Y:......0..........

                        Static File Info

                        General

                        File type:ASCII text, with very long lines (65526), with CRLF line terminators
                        Entropy (8bit):3.1247571496825963
                        TrID:
                          File name:7lFbTUxX9m.ps1
                          File size:329'781 bytes
                          MD5:313fe862097db895f07eaccaed97299f
                          SHA1:028a697a8f5fcbb5f5a4e98ba03ecf41b23a5026
                          SHA256:1f7bf8f9a0f91111c6faab1ebe64eacf37bfb4a0f74b202c2913823ca16d5dee
                          SHA512:2e9d5b6f995c9760162ace5712365cee4e7b16132512122251aa019ae753393bbe6d10788898f700c4fab4ae2cb2d7dc0b61e060c181f7019b4ba3252fa49e89
                          SSDEEP:3072:HL3D5WXtWVH44LhC8z60U4h3mSvsgTUfWwLC5ImBK5W9Fp81fABAUvetcTnZT:v5W0H44LhC87TUOwqYyfbx
                          TLSH:3664CC898537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF379C1A25D50589FBDDA1
                          File Content Preview:try..{....$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54

                          File Icon

                          Icon Hash:3270d6baae77db44

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-24T19:18:31.600692+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:18:31.776906+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:32.112066+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:18:33.734692+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:33.734692+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:33.735135+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:33.735135+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:33.735883+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:33.735883+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:46.152702+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:18:46.155050+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:00.522731+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:00.530112+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:02.894055+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:02.894055+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:14.914093+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:14.918477+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:24.212726+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:24.214743+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:24.372070+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:24.373669+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:24.466327+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:24.470512+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:29.948294+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:29.952271+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:30.283181+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:30.284917+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:30.420542+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:30.422266+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:30.544763+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:30.546572+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:30.566294+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:30.571137+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:32.901007+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:32.901007+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:40.577972+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:40.585687+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:19:54.913532+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:19:54.915595+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:02.899152+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:02.899152+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:04.179982+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:04.181856+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:06.477145+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:06.479328+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:16.309110+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:16.381311+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:17.257351+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:17.258782+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:17.366659+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:17.368243+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:20.367211+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:20.370629+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:25.770060+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:25.946110+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:25.950756+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:26.260591+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:26.263402+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:26.357910+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:26.359611+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:27.961052+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:27.962508+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:32.895500+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:32.895500+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:33.116373+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:33.117845+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:33.204005+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:33.206099+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:34.882476+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:34.884405+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:35.554959+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:35.568559+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:38.244041+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:38.245797+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:43.507838+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:43.510052+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:43.807724+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:43.811075+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:20:58.309492+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:20:58.311623+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:02.893411+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:02.893411+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:03.233658+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:03.233658+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:12.522720+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:12.524616+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:14.928631+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:14.933266+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:18.929074+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:18.935818+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:20.101025+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:20.102769+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:21.761398+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:21.762996+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:30.808612+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:30.811142+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:32.899607+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:32.899607+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:45.179910+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:45.181622+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:46.632316+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:46.634188+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                          2024-09-24T19:21:55.477978+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                          2024-09-24T19:21:55.478895+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 24, 2024 19:18:17.046927929 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:17.051899910 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:17.051991940 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:17.224989891 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:17.230781078 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:31.600692034 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:31.607702017 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:31.776906013 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:31.816710949 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:32.112066031 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:32.117078066 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:33.734692097 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:33.735135078 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:33.735225916 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:33.735882998 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:33.735935926 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:45.974193096 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:45.979248047 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:46.152702093 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:18:46.155050039 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:18:46.160042048 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:00.348361015 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:00.353312016 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:00.522731066 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:00.530112028 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:00.535023928 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:02.894054890 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:02.941632986 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:14.739206076 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:14.744235039 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:14.914093018 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:14.918477058 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:14.924103022 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.035840034 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.040901899 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.176397085 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.202491999 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.212726116 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.214742899 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.260207891 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.260257959 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.265269041 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.372070074 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.373668909 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.378737926 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.466326952 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:24.470511913 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:24.475645065 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:29.754453897 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:29.760862112 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:29.948293924 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:29.952270985 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:29.969094992 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.004426003 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.016129017 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.051342964 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.056487083 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.176214933 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.199794054 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.199847937 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.220247984 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.283180952 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.284917116 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.291637897 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.420542002 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.422266006 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.454185963 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.544763088 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.546571970 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.566293955 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.571088076 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:30.571136951 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:30.583555937 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:32.901006937 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:32.957309961 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:40.363930941 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:40.368853092 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:40.577971935 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:40.585686922 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:40.590622902 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:54.738709927 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:54.743702888 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:54.913532019 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:19:54.915595055 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:19:54.920455933 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:02.899152040 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:02.941575050 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:04.005466938 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:04.010386944 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:04.179981947 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:04.181855917 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:04.186943054 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:06.113645077 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:06.118585110 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:06.477144957 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:06.479327917 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:06.484205961 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:14.801198959 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:15.019685984 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:15.332192898 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:15.941566944 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:16.131607056 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:16.131620884 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:16.131630898 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:16.131664038 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:16.309109926 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:16.363667965 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:16.381310940 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:16.386357069 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.082741022 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:17.087798119 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.191999912 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:17.197056055 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.257350922 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.258781910 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:17.263791084 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.366658926 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:17.368242979 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:17.373239994 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:20.192152023 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:20.197395086 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:20.367211103 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:20.370629072 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:20.377741098 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:25.770060062 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:25.774966002 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:25.946110010 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:25.950756073 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:25.955709934 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.085294008 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:26.090282917 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.114242077 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:26.120743990 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.260591030 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.263401985 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:26.271378040 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.357909918 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:26.359611034 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:26.366769075 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:27.785816908 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:27.790657043 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:27.961051941 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:27.962507963 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:27.967598915 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:32.895499945 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:32.941965103 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:32.946966887 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:32.957576036 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:32.962419033 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:33.116373062 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:33.117845058 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:33.122668982 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:33.204005003 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:33.206099033 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:33.211091995 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:34.707623959 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:34.712769985 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:34.882476091 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:34.884404898 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:34.889441013 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:35.379966021 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:35.386405945 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:35.554959059 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:35.568558931 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:35.573610067 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:38.066932917 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:38.071885109 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:38.244040966 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:38.245796919 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:38.250659943 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.332705975 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:43.337785006 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.507838011 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.510051966 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:43.514957905 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.598169088 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:43.603090048 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.807723999 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:43.811074972 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:43.816205025 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:57.973504066 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:58.130811930 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:58.309492111 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:20:58.311623096 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:20:58.316483974 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:02.893410921 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:03.037257910 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:03.233658075 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:03.234146118 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:12.348083019 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:12.352977037 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:12.522720098 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:12.524616003 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:12.529529095 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:14.754273891 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:14.759198904 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:14.928631067 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:14.933265924 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:14.938108921 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:18.754339933 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:18.759577036 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:18.929074049 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:18.935817957 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:18.940716982 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:19.926512003 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:19.931441069 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:20.101025105 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:20.102768898 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:20.107609987 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:21.586492062 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:21.591588974 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:21.761398077 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:21.762995958 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:21.767993927 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:30.629547119 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:30.638782978 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:30.808612108 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:30.811141968 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:30.816032887 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:32.899606943 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:32.941610098 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:45.004293919 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:45.009392023 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:45.179909945 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:45.181622028 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:45.188164949 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:46.457570076 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:46.462502956 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:46.632316113 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:46.634187937 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:46.639076948 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:55.301206112 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:55.306334019 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:55.477977991 CEST5000049709191.96.207.180192.168.2.8
                          Sep 24, 2024 19:21:55.478894949 CEST4970950000192.168.2.8191.96.207.180
                          Sep 24, 2024 19:21:55.483863115 CEST5000049709191.96.207.180192.168.2.8

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 24, 2024 19:18:16.856704950 CEST6107653192.168.2.81.1.1.1
                          Sep 24, 2024 19:18:16.866195917 CEST53610761.1.1.1192.168.2.8

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 24, 2024 19:18:16.856704950 CEST192.168.2.81.1.1.10x2a1fStandard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 24, 2024 19:18:16.866195917 CEST1.1.1.1192.168.2.80x2a1fNo error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:2
                          Start time:13:17:46
                          Start date:24/09/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\7lFbTUxX9m.ps1"
                          Imagebase:0x7ff6cb6b0000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1983694401.00000247E93C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.1950283409.00000247D12A7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.1950283409.00000247D2AA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.1950283409.00000247D310C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:13:17:49
                          Start date:24/09/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:13:18:12
                          Start date:24/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          Imagebase:0xfa0000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.4142935737.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.4147288902.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:false

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FFB4B1641FA Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 9O_H
                            • API String ID: 0-2458200819
                            • Opcode ID: 658c328cb5791bd5b037dc0755898599faaea5d74ec7d4dff956dca438270fa8
                            • Instruction ID: 5288c2038860489766c9f95003158112797c6e06c887f803383f8edc7fb93306
                            • Opcode Fuzzy Hash: 658c328cb5791bd5b037dc0755898599faaea5d74ec7d4dff956dca438270fa8
                            • Instruction Fuzzy Hash: 88E169B162CA4A4FE789FF2CC495AB57BE1FF95314B1041BDD18AC71A3DA25E842CB40
                            Function 00007FFB4B16C732 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: p:K
                            • API String ID: 0-2165113454
                            • Opcode ID: 7360907eeb51cc8866c8330b6d8b56db30cf6feb0153581e5526263a31c18436
                            • Instruction ID: 195d2e6ea883af73d9aadca8ed2e880091e16ee14cf1654c62d2c7a2ce893aaf
                            • Opcode Fuzzy Hash: 7360907eeb51cc8866c8330b6d8b56db30cf6feb0153581e5526263a31c18436
                            • Instruction Fuzzy Hash: AF21B6B090D2C58FE706AF78C9656B9BFE1AF46304F1444FEC1869B1E2CA282845CB01
                            Function 00007FFB4B16C780 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: p:K
                            • API String ID: 0-2165113454
                            • Opcode ID: fc904271df4628311712b0d574374d71ec14665a8243c1f48a50a0225279f5d3
                            • Instruction ID: e941f24d08ed8b65a0694241176839ba0fa5368ea9cf8e43190e8aa3e34e2412
                            • Opcode Fuzzy Hash: fc904271df4628311712b0d574374d71ec14665a8243c1f48a50a0225279f5d3
                            • Instruction Fuzzy Hash: BCE0D8A481E2C68BE346DFBC89583B5BEA4AF45308F1451FDD089161E1C6281549CF01
                            Function 00007FFB4B231809 Relevance: .7, Instructions: 716COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1986060739.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b230000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca3756d4b310a0d4cafadf9184a8e4926353d981b60b7c80c69aa8c5868424f9
                            • Instruction ID: 1a7344abd08a33fc6a03eff9cfb5b39587c9e5611ff69c359285d5f24e9b3e66
                            • Opcode Fuzzy Hash: ca3756d4b310a0d4cafadf9184a8e4926353d981b60b7c80c69aa8c5868424f9
                            • Instruction Fuzzy Hash: E72234A2A0DB890FE796BF3C89552B4BFE1EF46212B0851FAD14DD71A3DD18AC15C381
                            Function 00007FFB4B2322D2 Relevance: .5, Instructions: 503COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1986060739.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b230000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff42a8f2c97e768d64f1f03c2059ed8a3cbc09e60e29503979a537201f1bb840
                            • Instruction ID: 8e36b7278e5449c275c2c998e9edb3528fe4568928c4d956e57d5d8d3a02fe8e
                            • Opcode Fuzzy Hash: ff42a8f2c97e768d64f1f03c2059ed8a3cbc09e60e29503979a537201f1bb840
                            • Instruction Fuzzy Hash: F3E128B290DBC90FEB5AAF3889651B47FE1EF46210B0941FFD589C71B3D918A8068791
                            Function 00007FFB4B23269E Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1986060739.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b230000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a77f7514c922e89cc21cf8bab9f73e2ca89c43921b790bb55b9ecb8426743c47
                            • Instruction ID: b12d1e9da4e9f5bcdb19f7cfb1cd35ee149f7455879611ba11ef9931b431adc8
                            • Opcode Fuzzy Hash: a77f7514c922e89cc21cf8bab9f73e2ca89c43921b790bb55b9ecb8426743c47
                            • Instruction Fuzzy Hash: C111E1B2B1DA490FEB98BE3C95621B9BBC2EF89211B4450BED58FC31B2DD18D8064700
                            Function 00007FFB4B231966 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1986060739.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b230000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f75b6466d75605ab6c4010e2677feabdbb587cd7e6d1e302a501abe2f6c7a2e1
                            • Instruction ID: baa7dbf1f8f6ab8bc9b824bddce2415fcafbc670838d6912a19917d073fa17f6
                            • Opcode Fuzzy Hash: f75b6466d75605ab6c4010e2677feabdbb587cd7e6d1e302a501abe2f6c7a2e1
                            • Instruction Fuzzy Hash: 04117DA3F0DA460FF29DBE7C95253B89AC1DFC5212B0891BAD54EC32E3DC089C224284
                            Function 00007FFB4B1639B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: 9b67ea3fc53e68cf7c96e14fb047363df36af69fbc3f9a2f69e4ba37f9f0b759
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: B901677111CB0D8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665D636E882CB45
                            Function 00007FFB4B16C0F5 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e009ed8c969ba4334f5913bda22e6a860b6ffced962133d50ddbdd20384cff20
                            • Instruction ID: d4c820ccfa583d10a51eb0f66d076b17093ba4797ad1247f05f6f8452799ba07
                            • Opcode Fuzzy Hash: e009ed8c969ba4334f5913bda22e6a860b6ffced962133d50ddbdd20384cff20
                            • Instruction Fuzzy Hash: F101297091868C8FCF45EF28C899AE97BA0FF68305F0541AAD449C7161D735A540CB80
                            Function 00007FFB4B16C110 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c8758a586dfa6bdcaf966fe3329d172a6a8b34c16c0baf37f8eeefafb9912da
                            • Instruction ID: a385d2bc7d4e26076dcd3acbf830cfc33a392bec7651cb45866f64551002993b
                            • Opcode Fuzzy Hash: 2c8758a586dfa6bdcaf966fe3329d172a6a8b34c16c0baf37f8eeefafb9912da
                            • Instruction Fuzzy Hash: 02F0C970914A4DDFCF84EF68C449AE97BE0FB68309F1041AAA80DD3260DB31A594CB81

                            Non-executed Functions

                            Function 00007FFB4B16A0B2 Relevance: .5, Instructions: 528COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1985391692.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ffb4b160000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4418e15bf28e3ea446bed1794640dbf8cef864cc3b0a6d71d794df6a53f813af
                            • Instruction ID: 803b291ee7e23baa3309c050af86a7591ad236e8b179c99d6cf4e86801a27d9a
                            • Opcode Fuzzy Hash: 4418e15bf28e3ea446bed1794640dbf8cef864cc3b0a6d71d794df6a53f813af
                            • Instruction Fuzzy Hash: 3C32E5B4D1851D8FDB68DF68C995AACB7B1FF58304F1081AED11AE7291CE34AA81CF14

                            Executed Functions

                            Function 032A776A Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,032A7E3A), ref: 032A7F27
                            Memory Dump Source
                            • Source File: 00000008.00000002.4147031679.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_32a0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID:
                            • API String ID: 1890195054-0
                            • Opcode ID: baf7bf57be574e029be0b3c25ffb8ceb926605610288750b6ce8c9122ab28b6d
                            • Instruction ID: 1cb21c65f8ed290bd5d89378666e7df1feb92556a543543b17e2c72e704b0f1c
                            • Opcode Fuzzy Hash: baf7bf57be574e029be0b3c25ffb8ceb926605610288750b6ce8c9122ab28b6d
                            • Instruction Fuzzy Hash: 23217A71C157999FCB11CFAED8007DEFBF4AF09210F15809AD454A7242D3789A44CBE6
                            Function 032A7784 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                            Download Yara Rule
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,032A7E3A), ref: 032A7F27
                            Memory Dump Source
                            • Source File: 00000008.00000002.4147031679.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_32a0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID:
                            • API String ID: 1890195054-0
                            • Opcode ID: 6406b334c526be0eb8d668f872adc5351388f9d910e7f0130db3aee8dc5895d1
                            • Instruction ID: c1cb7cac60aa60484d27b216c5945d759dcd381dac19d4f69b89a68edce94d7b
                            • Opcode Fuzzy Hash: 6406b334c526be0eb8d668f872adc5351388f9d910e7f0130db3aee8dc5895d1
                            • Instruction Fuzzy Hash: 421103B1C106599BDB10DF9AD444BDEFBF4AB48310F15816AE818B7241D378A944CFE5
                            Function 032A7EBB Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,032A7E3A), ref: 032A7F27
                            Memory Dump Source
                            • Source File: 00000008.00000002.4147031679.00000000032A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_32a0000_RegSvcs.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID:
                            • API String ID: 1890195054-0
                            • Opcode ID: 7fc921c6356f96428adf48ab86f16fa7f53b6ed62a0a0aeb1a311845f06ec7d3
                            • Instruction ID: 21953c3df3387dbdf63b22666fda50cb34f9c07b848d62f7bac7b35cc16f1af5
                            • Opcode Fuzzy Hash: 7fc921c6356f96428adf48ab86f16fa7f53b6ed62a0a0aeb1a311845f06ec7d3
                            • Instruction Fuzzy Hash: 9C11D0B2C1065A9BDB10DF9AD444B9EFBF4AB48220F15816AE818A7241D378A944CFE5
                            Function 0187D400 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.4145947155.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_187d000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d9fc4adefd7102df781d33e963fe1871313d802573df8bea7a03db9f0321d0a
                            • Instruction ID: baa896ececbd81896b9ba5f8a3345419a743e1a6cbe59e1ad61b22adab09ff30
                            • Opcode Fuzzy Hash: 1d9fc4adefd7102df781d33e963fe1871313d802573df8bea7a03db9f0321d0a
                            • Instruction Fuzzy Hash: D7214872504204DFDB15DF54D9C0B56BF65FF84318F20C2A8E9094B247C336E546CAA2
                            Function 0187D3FB Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.4145947155.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_187d000_RegSvcs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                            • Instruction ID: 4353be942abcde4532ca17c846f491608b4f73d96d53280103dfb3c996b8b6a4
                            • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                            • Instruction Fuzzy Hash: E011DC72404280DFCB16CF54D9C4B56BF62FB84324F24C2A9DD094B657C33AE55ACBA2