Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GvJxEfWyS1.ps1

Overview

General Information

Sample name:GvJxEfWyS1.ps1
renamed because original name is a hash value
Original sample name:41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b.ps1
Analysis ID:1517139
MD5:7cee317b8911c2bf3f013b44caac9e4e
SHA1:91dac8bcdc075a226d21292563c5db084b826f80
SHA256:41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b
Tags:ps1vecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x17468:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x17505:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x1761a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x172da:$cnc4: POST / HTTP/1.1
    00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.199c1fe99d0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.199c1fe99d0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x4d1a:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.199c16b0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.powershell.exe.199c36cfbb0.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.powershell.exe.199c36cfbb0.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", ProcessId: 6888, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1", ProcessId: 6888, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:20:02.897899+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:03.055016+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:16.309537+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:29.508594+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:32.895440+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:42.746601+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:53.398958+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:57.461284+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:58.414794+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:58.509419+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:58.604156+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:01.086561+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:02.893343+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:14.468164+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:27.554989+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:30.321634+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:32.899726+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:43.570050+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:45.929708+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:46.027566+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:52.558234+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:56.120661+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:56.244818+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:02.339361+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:02.913986+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:04.628138+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:11.150265+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:18.940931+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:22.389123+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:26.448896+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:27.445851+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:32.289633+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:32.891114+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:38.164741+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:38.164776+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:38.165159+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:51.243424+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:57.612973+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:02.900551+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:09.258597+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:14.313701+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:14.409315+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:14.788726+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:14.789658+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:14.789921+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:19.176603+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:30.054998+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:32.912145+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:33.577159+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:41.626485+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:20:03.222875+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:16.311312+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:29.510762+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:42.748832+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:53.402168+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:57.466451+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:58.417090+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:58.511498+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:20:58.606163+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:01.088240+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:14.471577+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:27.556880+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:30.324508+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:43.572154+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:45.933945+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:46.029729+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:46.144476+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:46.352521+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:52.568975+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:56.122936+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:21:56.246761+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:02.350083+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:04.637850+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:11.152100+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:22.391080+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:26.451884+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:27.448028+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:32.291961+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:38.167244+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:38.172539+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:51.247747+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:22:57.618282+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:09.260961+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:14.316871+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:14.410697+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:14.617290+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:14.790363+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:14.795706+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:19.181221+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:30.059563+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:33.579356+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                2024-09-24T19:23:41.630251+020028529231Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:20:02.897899+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:20:32.895440+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:02.893343+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:21:32.899726+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:02.913986+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:22:32.891114+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:02.900551+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                2024-09-24T19:23:32.912145+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:21:52.383496+020028531931Malware Command and Control Activity Detected192.168.2.449730191.96.207.18050000TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: GvJxEfWyS1.ps1ReversingLabs: Detection: 23%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: vecotr.viewdns.net
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: 50000
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: <123456789>
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: <Xwormmm>
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: XWorm V5.6
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpackString decryptor: USB.exe
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: .pDbV source: powershell.exe, 00000000.00000002.1887858223.00007FFD9BA80000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 191.96.207.180:50000
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49730 -> 191.96.207.180:50000
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 191.96.207.180:50000
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: vecotr.viewdns.net
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 191.96.207.180:50000
                Source: Joe Sandbox ViewIP Address: 191.96.207.180 191.96.207.180
                Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
                Source: powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000000.00000002.1846514640.00000199C1C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172249930.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000000.00000002.1846514640.00000199C1C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.powershell.exe.199c1fe99d0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8AA0B20_2_00007FFD9B8AA0B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0292B2B82_2_0292B2B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_029281D82_2_029281D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_029255102_2_02925510
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0292BFF82_2_0292BFF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02925DE02_2_02925DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_029251C82_2_029251C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02920BA02_2_02920BA0
                Source: 0.2.powershell.exe.199c1fe99d0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.evad.winPS1@4/5@1/1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\N5Yy5TM3WOXfdPYN
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgrbygw2.0sw.ps1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: GvJxEfWyS1.ps1ReversingLabs: Detection: 23%
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: .pDbV source: powershell.exe, 00000000.00000002.1887858223.00007FFD9BA80000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.cs.Net Code: Memory
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02927DA0 push eax; iretd 2_2_02927DA1
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4289Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4540Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5283Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4916Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: RegSvcs.exe, 00000002.00000002.4169693759.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf11d
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array3, array3.Length, ref bytesWritten)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer2, 4, ref bytesWritten)
                Source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, PE.csReference to suspicious API methods: x42mfHCtV6jaJIpPla7(Native.VirtualAllocEx, processInformation.ProcessHandle, num6, length, 12288, 64)
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 96C008Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: RegSvcs.exe, 00000002.00000002.4172249930.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: RegSvcs.exe, 00000002.00000002.4172249930.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-^q
                Source: RegSvcs.exe, 00000002.00000002.4172249930.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: RegSvcs.exe, 00000002.00000002.4172249930.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^qp
                Source: RegSvcs.exe, 00000002.00000002.4172249930.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.powershell.exe.199c16b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c36cfbb0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.powershell.exe.199c1fe99d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4172249930.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3300, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.powershell.exe.199c16b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c36cfbb0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c36cfbb0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c16b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.powershell.exe.199c1fe99d0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.199c1fe99d0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4172249930.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6888, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3300, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		212
                Process Injection                		1
                Disable or Modify Tools                		OS Credential Dumping111
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		121
                Virtualization/Sandbox Evasion                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
                Process Injection                		Security Account Manager121
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                GvJxEfWyS1.ps124%ReversingLabsScript-PowerShell.Backdoor.Xworm

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                vecotr.viewdns.net0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                vecotr.viewdns.net
                		191.96.207.180
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  vecotr.viewdns.nettrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.1846514640.00000199C1C21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1846514640.00000199C1C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4172249930.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1871977770.00000199D1D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  191.96.207.180
                  		vecotr.viewdns.netChile
                  		60458ASN-XTUDIONETEStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1517139
                  Start date and time:2024-09-24 19:18:38 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:GvJxEfWyS1.ps1
                  renamed because original name is a hash value
                  Original Sample Name:41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b.ps1
                  Detection:MAL
                  Classification:mal100.troj.evad.winPS1@4/5@1/1
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 18
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .ps1
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 6888 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: GvJxEfWyS1.ps1

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:19:33API Interceptor42x Sleep call for process: powershell.exe modified
                  13:19:48API Interceptor8736330x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  191.96.207.1807lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                      lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                        payload_1.vbsGet hashmaliciousXWormBrowse
                          Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            vecotr.viewdns.net7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                            • 191.96.207.180
                            XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                            • 191.96.207.180
                            lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                            • 191.96.207.180
                            payload_1.vbsGet hashmaliciousXWormBrowse
                            • 191.96.207.180
                            Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                            • 191.96.207.180

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ASN-XTUDIONETES7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                            • 191.96.207.180
                            XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                            • 191.96.207.180
                            lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                            • 191.96.207.180
                            payload_1.vbsGet hashmaliciousXWormBrowse
                            • 191.96.207.180
                            Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                            • 191.96.207.180
                            file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                            • 179.61.228.98
                            mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                            • 45.151.195.118
                            arm7.elfGet hashmaliciousMiraiBrowse
                            • 185.37.230.233
                            file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 45.131.83.43
                            emsO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 45.131.83.43

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1628158735648508
                            Encrypted:false
                            SSDEEP:3:NlllulLhwlz:NllUO
                            MD5:F442CD24937ABD508058EA44FD91378E
                            SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                            SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                            SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aysyiml5.jvd.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgrbygw2.0sw.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7284070836475958
                            Encrypted:false
                            SSDEEP:48:vhi/tD2l5LPr3C4U28ujgukvhkvklCyw2mdfK3RlCBSogZol/K3RlDBSogZoh1:0Il533CxHudkvhkvCCtRK3RhHuK3RKHe
                            MD5:2D15929AD0D83FA21C5351D7DF826E37
                            SHA1:4E35BB1554877F265D587A20985EEB437E3B457B
                            SHA-256:CDEF0B86567C53D7BDE89EFA92D532C68169CDF06500BC8872639ACAAEF6DE25
                            SHA-512:894BE044DBC91E31BAF42C98F3E87AD413B1E1D623511EEBEA5B23E3D781817C1FE374DC3BF474F198AC6B58E99F6E367ACE0A452AFC3FC1E3C32538EF363CDB
                            Malicious:false
                            Reputation:low
                            Preview:...................................FL..................F.".. ...-/.v...........z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v............^.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^8Yj............................%..A.p.p.D.a.t.a...B.V.1.....8Ym...Roaming.@......CW.^8Ym............................%..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^8Yp.....Q...........

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8EWC842OA6SYY98URXL.temp

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6221
                            Entropy (8bit):3.7284070836475958
                            Encrypted:false
                            SSDEEP:48:vhi/tD2l5LPr3C4U28ujgukvhkvklCyw2mdfK3RlCBSogZol/K3RlDBSogZoh1:0Il533CxHudkvhkvCCtRK3RhHuK3RKHe
                            MD5:2D15929AD0D83FA21C5351D7DF826E37
                            SHA1:4E35BB1554877F265D587A20985EEB437E3B457B
                            SHA-256:CDEF0B86567C53D7BDE89EFA92D532C68169CDF06500BC8872639ACAAEF6DE25
                            SHA-512:894BE044DBC91E31BAF42C98F3E87AD413B1E1D623511EEBEA5B23E3D781817C1FE374DC3BF474F198AC6B58E99F6E367ACE0A452AFC3FC1E3C32538EF363CDB
                            Malicious:false
                            Preview:...................................FL..................F.".. ...-/.v...........z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v............^.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^8Yj............................%..A.p.p.D.a.t.a...B.V.1.....8Ym...Roaming.@......CW.^8Ym............................%..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWR`..Windows.@......CW.^DWR`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^8Yp.....Q...........

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (65526), with CRLF line terminators
                            Entropy (8bit):3.1248255692674873
                            TrID:
                              File name:GvJxEfWyS1.ps1
                              File size:329'783 bytes
                              MD5:7cee317b8911c2bf3f013b44caac9e4e
                              SHA1:91dac8bcdc075a226d21292563c5db084b826f80
                              SHA256:41f746cfbfc418caee659826b7fc4728e1347014ea5f0c840728b30ba31b3c8b
                              SHA512:42fe836bf246af4bcc2259dde43cfd29612cd6e320e87bd714c31d61faf8f9322effbe99bb76e55dd92044de6fab8d6a8cb3d5122277b4f981a8534bfe92a601
                              SSDEEP:3072:wL3D5WXtWVH44LhC8z60U4h3mShvTUfWwLC5ImBK5W9Fp81fABAUvetcTnZm:Q5W0H44LhC85TUOwqYyfbg
                              TLSH:F064CC898537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF379C1A25D50589FBDDA1
                              File Content Preview:try..{....$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54

                              File Icon

                              Icon Hash:3270d6baae77db44

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-24T19:20:02.878931+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:02.897899+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:02.897899+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:03.055016+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:03.222875+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:16.309537+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:16.311312+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:29.508594+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:29.510762+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:32.895440+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:32.895440+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:42.746601+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:42.748832+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:53.398958+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:53.402168+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:57.461284+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:57.466451+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:58.414794+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:58.417090+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:58.509419+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:58.511498+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:20:58.604156+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:20:58.606163+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:01.086561+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:01.088240+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:02.893343+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:02.893343+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:14.468164+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:14.471577+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:27.554989+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:27.556880+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:30.321634+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:30.324508+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:32.899726+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:32.899726+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:43.570050+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:43.572154+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:45.929708+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:45.933945+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:46.027566+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:46.029729+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:46.144476+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:46.352521+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:52.383496+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:52.558234+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:52.568975+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:56.120661+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:56.122936+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:21:56.244818+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:21:56.246761+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:02.339361+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:02.350083+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:02.913986+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:02.913986+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:04.628138+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:04.637850+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:11.150265+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:11.152100+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:18.940931+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:22.389123+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:22.391080+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:26.448896+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:26.451884+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:27.445851+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:27.448028+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:32.289633+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:32.291961+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:32.891114+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:32.891114+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:38.164741+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:38.164776+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:38.165159+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:38.167244+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:38.172539+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:51.243424+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:51.247747+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:22:57.612973+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:22:57.618282+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:02.900551+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:02.900551+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:09.258597+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:09.260961+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:14.313701+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:14.316871+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:14.409315+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:14.410697+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:14.617290+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:14.788726+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:14.789658+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:14.789921+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:14.790363+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:14.795706+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:19.176603+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:19.181221+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:30.054998+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:30.059563+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:32.912145+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:32.912145+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:33.577159+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:33.579356+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP
                              2024-09-24T19:23:41.626485+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.449730TCP
                              2024-09-24T19:23:41.630251+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730191.96.207.18050000TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 24, 2024 19:19:49.309956074 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:19:49.315283060 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:19:49.315373898 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:19:49.482865095 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:19:49.692908049 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:19:49.724298954 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:19:49.724344969 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:02.878931046 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:02.884051085 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:02.897898912 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:02.942919970 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:03.055016041 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:03.099200964 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:03.222875118 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:03.276057005 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:16.100122929 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:16.131674051 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:16.309536934 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:16.311311960 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:16.316488981 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:29.334016085 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:29.339200974 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:29.508594036 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:29.510761976 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:29.515670061 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:32.895440102 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:32.942889929 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:42.568135023 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:42.573328018 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:42.746601105 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:42.748831987 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:42.753742933 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:53.224598885 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:53.229576111 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:53.398957968 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:53.402168036 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:53.407021999 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:57.286943913 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:57.291922092 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:57.461283922 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:57.466450930 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:57.471323013 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.240181923 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.245101929 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.256033897 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.260936975 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.349453926 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.354365110 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.414793968 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.417089939 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.421889067 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.509418964 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.511497974 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.516587973 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.604156017 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:20:58.606163025 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:20:58.611073017 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:00.912002087 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:00.916929960 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:01.086560965 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:01.088239908 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:01.093074083 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:02.893342972 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:02.942910910 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:14.147440910 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:14.299743891 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:14.468163967 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:14.471576929 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:14.476506948 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:27.380673885 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:27.385847092 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:27.554989100 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:27.556879997 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:27.561739922 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:30.147229910 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:30.152126074 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:30.321634054 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:30.324507952 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:30.329840899 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:32.899725914 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:32.942955017 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:43.380654097 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:43.385766983 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:43.570050001 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:43.572154045 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:43.577188969 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.740076065 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:45.745217085 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.786948919 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:45.792435884 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.802571058 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:45.807555914 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.818465948 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:45.823391914 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.929708004 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:45.933944941 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:45.938884020 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:46.027565956 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:46.029728889 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:46.034563065 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:46.142451048 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:46.144475937 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:46.349517107 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:46.352520943 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:46.357454062 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:52.383496046 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:52.388720989 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:52.558233976 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:52.568974972 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:52.573951006 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:55.943350077 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:55.948422909 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:56.068275928 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:56.073533058 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:56.120661020 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:56.122936010 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:56.127779961 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:56.244817972 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:21:56.246761084 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:21:56.251919031 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:02.161876917 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:02.167937994 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:02.339360952 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:02.350083113 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:02.354861975 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:02.913985968 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:02.958513975 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:04.255922079 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:04.450105906 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:04.628138065 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:04.637850046 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:04.655674934 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:10.974451065 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:10.980886936 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:11.150264978 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:11.152100086 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:11.157147884 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:17.068283081 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:17.410545111 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:17.748002052 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:18.474489927 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:18.772656918 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:18.775325060 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:18.775414944 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:18.775439024 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:18.940931082 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:18.946384907 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:18.952760935 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:21.927484035 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:22.209439993 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:22.389122963 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:22.391079903 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:22.404474020 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:26.271640062 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:26.276828051 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:26.448895931 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:26.451884031 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:26.456758022 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:27.271425009 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:27.276555061 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:27.445851088 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:27.448028088 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:27.453020096 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:32.115010023 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:32.120223045 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:32.289633036 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:32.291960955 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:32.296928883 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:32.891113997 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:32.975533962 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:37.818177938 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:37.823314905 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:37.833822966 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:37.838766098 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:38.164741039 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:38.164776087 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:38.164850950 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:38.165158987 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:38.165294886 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:38.167243958 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:38.172488928 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:38.172538996 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:38.177439928 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:51.068162918 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:51.073148966 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:51.243423939 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:51.247746944 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:51.252722025 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:57.433222055 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:57.438250065 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:57.612972975 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:22:57.618282080 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:22:57.623172045 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:02.900551081 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:02.942893982 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:09.084018946 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:09.089071035 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:09.258596897 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:09.260961056 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:09.265798092 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.130762100 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.135828018 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.177700996 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.182641029 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.240242958 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.245287895 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.313700914 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.316870928 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.321913004 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.396297932 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.401276112 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.409315109 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.410696983 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.617290020 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.788666964 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.788726091 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.789658070 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.789921045 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.790133953 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.790363073 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.791762114 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.795208931 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:14.795706034 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:14.800626993 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:18.818134069 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:18.824938059 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:19.176603079 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:19.181221008 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:19.192198992 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:29.646691084 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:29.865014076 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:29.886060953 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:29.886081934 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:30.054997921 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:30.059562922 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:30.064393044 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:32.912144899 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:32.958498955 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:33.224380016 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:33.257854939 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:33.577158928 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:33.579355955 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:33.584253073 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:41.451445103 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:41.456404924 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:41.626485109 CEST5000049730191.96.207.180192.168.2.4
                              Sep 24, 2024 19:23:41.630250931 CEST4973050000192.168.2.4191.96.207.180
                              Sep 24, 2024 19:23:41.635236025 CEST5000049730191.96.207.180192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 24, 2024 19:19:49.233422995 CEST5321153192.168.2.41.1.1.1
                              Sep 24, 2024 19:19:49.252233028 CEST53532111.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 24, 2024 19:19:49.233422995 CEST192.168.2.41.1.1.10xf03eStandard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 24, 2024 19:19:49.252233028 CEST1.1.1.1192.168.2.40xf03eNo error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:13:19:31
                              Start date:24/09/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GvJxEfWyS1.ps1"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1846514640.00000199C3A7D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1846349807.00000199C16B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1846514640.00000199C3645000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1846514640.00000199C1E47000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:13:19:31
                              Start date:24/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:13:19:45
                              Start date:24/09/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                              Imagebase:0x6a0000
                              File size:45'984 bytes
                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.4168640908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4172249930.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FFD9B8A41FA Relevance: 1.8, Strings: 1, Instructions: 558COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 9N_H
                                • API String ID: 0-2470920388
                                • Opcode ID: e4a936782f04fb1fd2dfc5a4e52e86f935c5062ec3fcb4cd04346da7fad7f9f8
                                • Instruction ID: 8e2672485ca23d20999d78a2c716728e85d9b17d18629998abb61a3d653d40bc
                                • Opcode Fuzzy Hash: e4a936782f04fb1fd2dfc5a4e52e86f935c5062ec3fcb4cd04346da7fad7f9f8
                                • Instruction Fuzzy Hash: 02F15A3171EA8E4FEB59EB1CC4A59B577E0FF99350B0901BED08AC71A3DA25E842C750
                                Function 00007FFD9B971715 Relevance: 1.0, Instructions: 997COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80fa8786ebecdb714dd341d03458312d1fdbe48aabc5d6f3f11b4f0d945c8290
                                • Instruction ID: 0b523f2cf23501e831b34ac180aa6618fb50524e6286bcd013669914a957ea36
                                • Opcode Fuzzy Hash: 80fa8786ebecdb714dd341d03458312d1fdbe48aabc5d6f3f11b4f0d945c8290
                                • Instruction Fuzzy Hash: 68526932B1EB9D1FE76ACB6848A56B43BE1EF56214B0A01FBD44DC71E3DA18AD05C341
                                Function 00007FFD9B97251D Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6a44615f73f0383ed5971e1fc49ebb273571a943d0516cbe40770b946351a7b8
                                • Instruction ID: c1e9c73ca6c936bd6a929b147f4d4cb1826b07f18cdaed988e28c84eece05071
                                • Opcode Fuzzy Hash: 6a44615f73f0383ed5971e1fc49ebb273571a943d0516cbe40770b946351a7b8
                                • Instruction Fuzzy Hash: 9CE13B31A2F7891FE76A9BA858A65B53BD1EF57210B0901FFD089C71F3D918AD06C341
                                Function 00007FFD9B971215 Relevance: .5, Instructions: 491COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4720ed0e4bc824101c329d19f80dc209b02b4e5fd2d882914b1ebcddc066c727
                                • Instruction ID: 482c4e4437c1bbfc7be97118dcb2b4da84e77628bb6305a8ee630607aa702d73
                                • Opcode Fuzzy Hash: 4720ed0e4bc824101c329d19f80dc209b02b4e5fd2d882914b1ebcddc066c727
                                • Instruction Fuzzy Hash: 64F18C71A0E7C95FE766DB6888A55643FE1EF16314F1900FED089CB1E3DA29AC46C341
                                Function 00007FFD9B971286 Relevance: .4, Instructions: 441COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8a6eed9d91a4f12977d0ea33e8431a3874fdfe66e160f822316ca095c5e9584
                                • Instruction ID: 236e2d74e227b24bbe26c905c98c4fd6f8a1dfd3fc91465338d4847876260064
                                • Opcode Fuzzy Hash: e8a6eed9d91a4f12977d0ea33e8431a3874fdfe66e160f822316ca095c5e9584
                                • Instruction Fuzzy Hash: 5DE15B71A0EBC95FE766DB6848A56643FE1EF16314B1900FED089CB1E3DA29AC46C341
                                Function 00007FFD9B97269E Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11445887ad55de23baf64271e40ae03c92779e8be5312f062c8bf9dfe0f6f045
                                • Instruction ID: 0cecbad80592713c26cd935a1215f655865bdd0f40ad9f99f4efb35012d8c259
                                • Opcode Fuzzy Hash: 11445887ad55de23baf64271e40ae03c92779e8be5312f062c8bf9dfe0f6f045
                                • Instruction Fuzzy Hash: A511D372B2FA494FEBACDA9C54A217973D2EF99221B4500BFD04FC31B3DE19A8064704
                                Function 00007FFD9B971966 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885909991.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b970000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0a02ee5720e21c570a5b4fad73970e92a1b715dee47d2bcfc99ede081edc195
                                • Instruction ID: 794f5fbd8f22f3014a64bd409584e18cc8078ffc6dee776d8bcc1446f5292f34
                                • Opcode Fuzzy Hash: d0a02ee5720e21c570a5b4fad73970e92a1b715dee47d2bcfc99ede081edc195
                                • Instruction Fuzzy Hash: 24110B22F1EA6E1FF7BC969C346127413C1DF84624B4901BAD54DC32D7DD089D030245
                                Function 00007FFD9B8AC0F5 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6459418d17c968f611493b202bc8878d7d6bbd4ef232a24e319b5c38e81a30cb
                                • Instruction ID: 7e107eb4747ff55afe8b51e0595f4a933c7b56eb1c490ad315b6e32bfe9d6d84
                                • Opcode Fuzzy Hash: 6459418d17c968f611493b202bc8878d7d6bbd4ef232a24e319b5c38e81a30cb
                                • Instruction Fuzzy Hash: AF014C3090964C8FCF95EF58C859AE97FE0FF28305F0541AAE409C72A1DB34E680CB81
                                Function 00007FFD9B8A39B5 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction ID: a60c8217fc3ab1d1633fbbe85b8e4839f1823a324ba25755aa0a64c516eb0ee6
                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction Fuzzy Hash: 5F01677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E882CB45
                                Function 00007FFD9B8AC165 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9cd924b9a3ca7912b261ee72bea4e94f17ad23c2fe4ce062260be5b8c14d0191
                                • Instruction ID: ba282f4893627dd20662be7136d817878953ee02a01d1de680fd9ee5831c776d
                                • Opcode Fuzzy Hash: 9cd924b9a3ca7912b261ee72bea4e94f17ad23c2fe4ce062260be5b8c14d0191
                                • Instruction Fuzzy Hash: 1D0192B150A6859FDB07CF25CCD56883FB0EF2220CB0E56D2C458CE167EB24A56E8B51
                                Function 00007FFD9B8AC110 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 14fef5d6777b6df863bbcafe96c91916fd7bfdcdc3b77edbcc1359169ad11f76
                                • Instruction ID: a7660c1925fdafa9e74a3cd1d414a857e9eb66d3814d055961100bbd4138fea9
                                • Opcode Fuzzy Hash: 14fef5d6777b6df863bbcafe96c91916fd7bfdcdc3b77edbcc1359169ad11f76
                                • Instruction Fuzzy Hash: 45F0EC30914A4D9FCF84EF58C859AEA7BF0FB68309F0041AAA40DD3260DB31E694CB81
                                Function 00007FFD9B8AC1A8 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d2d5ca3e0e76a51c1f117e9af46255b2b2b7f519923a6a5b7a43f74b7eb44f9
                                • Instruction ID: 58a8cc6023f3c3294e3eb64d9d38af1b118e31116b5d7842f2058b5dfd7c950f
                                • Opcode Fuzzy Hash: 3d2d5ca3e0e76a51c1f117e9af46255b2b2b7f519923a6a5b7a43f74b7eb44f9
                                • Instruction Fuzzy Hash: FBE06877A0814A9BC306EB8CFC591E83B90EF01228F0801B2E00D8A073FA15650581C0
                                Function 00007FFD9B8AC935 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd6e7ca561a79839724b1d66a27e7ed4e1215b1b96ddde801482fcf0f466d929
                                • Instruction ID: 273c8d93fab55916fe1a40909c09d20bfb58c008cfbb79ae0c9d31cbfc7c5b2f
                                • Opcode Fuzzy Hash: fd6e7ca561a79839724b1d66a27e7ed4e1215b1b96ddde801482fcf0f466d929
                                • Instruction Fuzzy Hash: 0ED0A7D170F5CA1FE7565BB008B6165BB95AF59210B0C00FC908D8B1E7D91C1D058B51

                                Non-executed Functions

                                Function 00007FFD9B8AA0B2 Relevance: .5, Instructions: 527COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1885415239.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b8a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7cdd45b68ccd2aea852813b949d8a1a4a6d60b82954e3b4525b2e34f88fced7
                                • Instruction ID: 11f692cd63a0baa7e17f8d02f975c15b15551b12e6ae79514a43998c240a84a1
                                • Opcode Fuzzy Hash: b7cdd45b68ccd2aea852813b949d8a1a4a6d60b82954e3b4525b2e34f88fced7
                                • Instruction Fuzzy Hash: 1332C374E0951D8FDB68DF98C8A5AACB7B1FF58304F1081ADD01EE7295CA34AA81CF54

                                Execution Graph

                                Execution Coverage:13.4%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:65
                                Total number of Limit Nodes:5
                                execution_graph 12069 29218e0 12070 29218e4 12069->12070 12074 2921a61 12070->12074 12081 2921b78 12070->12081 12088 2921be1 12070->12088 12075 2921a9c 12074->12075 12076 2921b76 12075->12076 12095 2921fbd 12075->12095 12100 2921f78 12075->12100 12105 2922018 12075->12105 12110 292200a 12075->12110 12076->12070 12083 2921b4f 12081->12083 12082 2921b76 12082->12070 12083->12082 12084 292200a GlobalMemoryStatusEx 12083->12084 12085 2922018 GlobalMemoryStatusEx 12083->12085 12086 2921f78 GlobalMemoryStatusEx 12083->12086 12087 2921fbd GlobalMemoryStatusEx 12083->12087 12084->12083 12085->12083 12086->12083 12087->12083 12089 2921b43 12088->12089 12090 2921b76 12089->12090 12091 292200a GlobalMemoryStatusEx 12089->12091 12092 2922018 GlobalMemoryStatusEx 12089->12092 12093 2921f78 GlobalMemoryStatusEx 12089->12093 12094 2921fbd GlobalMemoryStatusEx 12089->12094 12090->12070 12091->12089 12092->12089 12093->12089 12094->12089 12096 2921f7d 12095->12096 12096->12095 12115 2922bb0 12096->12115 12120 2922a65 12096->12120 12097 292211e 12097->12097 12101 2921f7d 12100->12101 12103 2922bb0 GlobalMemoryStatusEx 12101->12103 12104 2922a65 GlobalMemoryStatusEx 12101->12104 12102 292211e 12102->12102 12103->12102 12104->12102 12106 292203d 12105->12106 12108 2922bb0 GlobalMemoryStatusEx 12106->12108 12109 2922a65 GlobalMemoryStatusEx 12106->12109 12107 292211e 12107->12107 12108->12107 12109->12107 12111 292203d 12110->12111 12113 2922bb0 GlobalMemoryStatusEx 12111->12113 12114 2922a65 GlobalMemoryStatusEx 12111->12114 12112 292211e 12112->12112 12113->12112 12114->12112 12116 2922b7b 12115->12116 12125 2927b18 12116->12125 12129 2927b08 12116->12129 12117 2922f02 12117->12097 12121 2922a75 12120->12121 12123 2927b18 GlobalMemoryStatusEx 12121->12123 12124 2927b08 GlobalMemoryStatusEx 12121->12124 12122 2922f02 12122->12097 12123->12122 12124->12122 12126 2927b3d 12125->12126 12133 2927da2 12126->12133 12127 2927b9f 12127->12117 12130 2927afc 12129->12130 12130->12129 12132 2927da2 GlobalMemoryStatusEx 12130->12132 12131 2927b9f 12131->12117 12132->12131 12137 2927dd8 12133->12137 12142 2927de8 12133->12142 12134 2927dbe 12134->12127 12138 2927dec 12137->12138 12139 2927df5 12138->12139 12147 2927784 12138->12147 12139->12134 12143 2927e1d 12142->12143 12144 2927df5 12142->12144 12145 2927784 GlobalMemoryStatusEx 12143->12145 12144->12134 12146 2927e3a 12145->12146 12146->12134 12148 292778b GlobalMemoryStatusEx 12147->12148 12150 2927e3a 12148->12150 12150->12134

                                Executed Functions

                                Function 029277F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 840 29277f9-2927800 841 2927802-2927803 840->841 842 292778b 840->842 843 2927ec0-2927efe 841->843 842->843 844 2927f06-2927f34 GlobalMemoryStatusEx 843->844 845 2927f36-2927f3c 844->845 846 2927f3d-2927f65 844->846 845->846
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02927E3A), ref: 02927F27
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.4171754036.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_2920000_RegSvcs.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: sD
                                • API String ID: 1890195054-1361941829
                                • Opcode ID: 6e6c1af83b089c5d209241f93daec83f3fac9c32fbb015aedbf16e5e9d271123
                                • Instruction ID: 0ffb6ed0c453b88ef7228e453243e7ac0d24d390e04946123dd429b6847cfeb6
                                • Opcode Fuzzy Hash: 6e6c1af83b089c5d209241f93daec83f3fac9c32fbb015aedbf16e5e9d271123
                                • Instruction Fuzzy Hash: 2A2167B1C046AADBCB10CFAAD444BDEFBF4AF08320F10816AD454B7254C338A944CFA5
                                Function 02927784 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 849 2927784-2927f34 GlobalMemoryStatusEx 853 2927f36-2927f3c 849->853 854 2927f3d-2927f65 849->854 853->854
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02927E3A), ref: 02927F27
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.4171754036.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_2920000_RegSvcs.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: sD
                                • API String ID: 1890195054-1361941829
                                • Opcode ID: a3b5e009b90fd19c22b08bec0c84807355a59f6803debac854a1fcea59266b8e
                                • Instruction ID: 1627fe3ca41a15720e3d73739397383167e12d9748d4ac9f5a5fa073fc0a335a
                                • Opcode Fuzzy Hash: a3b5e009b90fd19c22b08bec0c84807355a59f6803debac854a1fcea59266b8e
                                • Instruction Fuzzy Hash: 811144B1C046699BCB10CF9AC444BDEFBF4EB08320F10816AE818B7240D378A944CFE5
                                Function 02927EBA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 857 2927eba-2927efe 859 2927f06-2927f34 GlobalMemoryStatusEx 857->859 860 2927f36-2927f3c 859->860 861 2927f3d-2927f65 859->861 860->861
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02927E3A), ref: 02927F27
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.4171754036.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_2920000_RegSvcs.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: sD
                                • API String ID: 1890195054-1361941829
                                • Opcode ID: 6cb8b32b326f59a2d75850649c5e0a1e05b4fa53dcb5031e0052ede230b9843e
                                • Instruction ID: e0a29641df8d69162c64ccc63822e4fd106c40c1681267bcdc403b35315b83fa
                                • Opcode Fuzzy Hash: 6cb8b32b326f59a2d75850649c5e0a1e05b4fa53dcb5031e0052ede230b9843e
                                • Instruction Fuzzy Hash: 481136B2C046699BCB10CF9AC444BDEFBF4BF08320F15816AD858B7240D378A944CFA5
                                Function 00BCD400 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.4169354330.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_bcd000_RegSvcs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ca78521eef8d771cf12c8c76902ee866990cd40a3e0c74c3d02edb11b8a4221
                                • Instruction ID: db196df34a7927477c4596ecd1f29f0b64a4d31febd51f109bb4dde130de83b7
                                • Opcode Fuzzy Hash: 8ca78521eef8d771cf12c8c76902ee866990cd40a3e0c74c3d02edb11b8a4221
                                • Instruction Fuzzy Hash: 1421F179504204DFDB09DF14D9C0F27BFA5EB98324F20C2BDEA094A356C336E856C6A1
                                Function 00BCD3FB Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.4169354330.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_bcd000_RegSvcs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                • Instruction ID: 94589f22acfec926a3c38d607a96620d9223c8c060b1e46bf8f893847a0a201f
                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                • Instruction Fuzzy Hash: A611DF76504240DFDB16CF10D5C4B16BFA2FB94324F24C2ADD9090B256C33AE85ACBA1