Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
84Z63SyEQ7.ps1

Overview

General Information

Sample name:84Z63SyEQ7.ps1
renamed because original name is a hash value
Original sample name:fc80cb0479aa75176137ece45d778fb4631b7aaaf294e9bd2640b56c686643bb.ps1
Analysis ID:1517140
MD5:1c46bfc607b523389fcc8bd1d3407f84
SHA1:6f187008fffde9d48ba4c591e5965ea2906bed3d
SHA256:fc80cb0479aa75176137ece45d778fb4631b7aaaf294e9bd2640b56c686643bb
Tags:ps1vecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1340 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 6544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x691a:$cnc4: POST / HTTP/1.1
    00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x1ae08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1aea5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1afba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1ac7a:$cnc4: POST / HTTP/1.1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.1a9805099b8.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.powershell.exe.1a9805099b8.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x4d1a:$cnc4: POST / HTTP/1.1
          0.2.powershell.exe.1a981e19bf8.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.powershell.exe.1a981e19bf8.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 5 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", ProcessId: 1340, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1", ProcessId: 1340, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:24:26.817842+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:24:32.899730+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:24:39.062028+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:24:51.653604+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:24:51.656316+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:02.894554+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:03.561380+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:15.811499+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:26.324631+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:32.877186+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:33.487018+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:37.545843+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:39.343159+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:42.671236+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:53.107228+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:53.218034+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:53.398167+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:58.718840+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:02.902771+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:08.671188+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:08.979804+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:09.105032+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:09.467868+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:15.278052+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:20.732013+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:22.657089+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:25.530128+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:29.985575+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:30.760723+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:30.860403+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:33.062648+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:33.140732+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:36.769681+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:36.870953+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:36.971000+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:37.080175+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:37.352873+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:37.479781+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:49.627657+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:01.875888+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:02.895217+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:09.230503+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:11.483815+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:13.795808+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:14.655732+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:15.184090+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:21.922348+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:23.585574+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:29.421109+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:32.888558+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:34.313786+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.390069+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.480306+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.576963+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.652221+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.747754+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.843024+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:44.936341+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:48.640042+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:49.846197+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:58.815359+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:28:01.301630+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:28:01.303044+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:28:02.917782+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:24:26.870741+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:24:39.073363+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:24:51.656861+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:03.563323+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:15.814071+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:26.332535+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:33.492913+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:37.577009+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:39.344834+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:42.673337+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:53.115374+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:53.219781+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:53.305750+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:53.400183+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:25:58.720912+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:08.674371+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:08.981775+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:09.107168+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:09.472324+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:15.280343+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:20.734284+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:22.658696+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:25.541196+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:29.991426+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:30.762241+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:30.861844+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:36.785373+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:36.872686+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:36.972442+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:37.081706+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:37.354521+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:37.481183+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:26:49.630042+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:01.877504+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:09.233437+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:11.485486+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:13.797724+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:14.657329+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:15.185755+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:21.924061+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:23.587318+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:29.423308+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:34.315423+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.393018+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.483419+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.581630+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.654039+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.749616+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.844645+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:44.938126+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:48.647336+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:49.848024+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:27:58.818389+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                2024-09-24T19:28:01.302346+020028529231Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:24:32.899730+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:02.894554+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:25:32.877186+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:02.902771+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:33.062648+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:26:33.140732+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:02.895217+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:27:32.888558+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                2024-09-24T19:28:02.917782+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.649717TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-24T19:26:14.903524+020028531931Malware Command and Control Activity Detected192.168.2.649717191.96.207.18050000TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: 84Z63SyEQ7.ps1ReversingLabs: Detection: 23%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: vecotr.viewdns.net
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: 50000
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: <123456789>
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: <Xwormmm>
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: XWorm V5.6
                Source: 4.2.RegSvcs.exe.400000.0.unpackString decryptor: USB.exe
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49717 -> 191.96.207.180:50000
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.6:49717
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49717 -> 191.96.207.180:50000
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.6:49717
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49717 -> 191.96.207.180:50000
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: vecotr.viewdns.net
                Source: global trafficTCP traffic: 192.168.2.6:49717 -> 191.96.207.180:50000
                Source: Joe Sandbox ViewIP Address: 191.96.207.180 191.96.207.180
                Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
                Source: powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000000.00000002.2280796718.000001A980141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4602231795.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000000.00000002.2280796718.000001A980141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.powershell.exe.1a9805099b8.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD347740F20_2_00007FFD347740F2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34773CFA0_2_00007FFD34773CFA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34773EF50_2_00007FFD34773EF5
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34773F530_2_00007FFD34773F53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026F63484_2_026F6348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026FB0384_2_026FB038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026F56704_2_026F5670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026F84B84_2_026F84B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026F53284_2_026F5328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_026F0BA04_2_026F0BA0
                Source: 0.2.powershell.exe.1a9805099b8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.evad.winPS1@6/5@1/1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\FxwhhRft8tFCNpWd
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxxvivap.sdx.ps1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: 84Z63SyEQ7.ps1ReversingLabs: Detection: 23%
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.cs.Net Code: Memory
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4090Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5758Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1365Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8459Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5156Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: RegSvcs.exe, 00000004.00000002.4595681946.0000000000C57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array3, array3.Length, ref bytesWritten)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer2, 4, ref bytesWritten)
                Source: 0.2.powershell.exe.1a998460000.2.raw.unpack, PE.csReference to suspicious API methods: x42mfHCtV6jaJIpPla7(Native.VirtualAllocEx, processInformation.ProcessHandle, num6, length, 12288, 64)
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 79C008Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegSvcs.exe, 00000004.00000002.4595681946.0000000000C4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a981e19bf8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a998460000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a998460000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.powershell.exe.1a9805099b8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602231795.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1340, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.powershell.exe.1a981e19bf8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a981e19bf8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a998460000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a998460000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.powershell.exe.1a9805099b8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.powershell.exe.1a9805099b8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602231795.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1340, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		211
                Process Injection                		1
                Disable or Modify Tools                		OS Credential Dumping121
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		121
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                Process Injection                		Security Account Manager121
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Software Packing                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                84Z63SyEQ7.ps124%ReversingLabsScript-PowerShell.Backdoor.Xworm

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                vecotr.viewdns.net0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                vecotr.viewdns.net
                		191.96.207.180
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  vecotr.viewdns.nettrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.2280796718.000001A980141000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2280796718.000001A980141000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.4602231795.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.2301132284.000001A9902B9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  191.96.207.180
                  		vecotr.viewdns.netChile
                  		60458ASN-XTUDIONETEStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1517140
                  Start date and time:2024-09-24 19:23:00 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 53s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:84Z63SyEQ7.ps1
                  renamed because original name is a hash value
                  Original Sample Name:fc80cb0479aa75176137ece45d778fb4631b7aaaf294e9bd2640b56c686643bb.ps1
                  Detection:MAL
                  Classification:mal100.troj.evad.winPS1@6/5@1/1
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 12
                  • Number of non-executed functions: 6
                  Cookbook Comments:
                  • Found application associated with file extension: .ps1
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 1340 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: 84Z63SyEQ7.ps1

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:23:53API Interceptor41x Sleep call for process: powershell.exe modified
                  13:24:13API Interceptor8606633x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  191.96.207.180XClient.exeGet hashmaliciousXWormBrowse
                    GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                      7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                        XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                          lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                            payload_1.vbsGet hashmaliciousXWormBrowse
                              Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                vecotr.viewdns.netXClient.exeGet hashmaliciousXWormBrowse
                                • 191.96.207.180
                                GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                • 191.96.207.180
                                lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                payload_1.vbsGet hashmaliciousXWormBrowse
                                • 191.96.207.180
                                Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                • 191.96.207.180

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ASN-XTUDIONETESXClient.exeGet hashmaliciousXWormBrowse
                                • 191.96.207.180
                                GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                • 191.96.207.180
                                lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                • 191.96.207.180
                                payload_1.vbsGet hashmaliciousXWormBrowse
                                • 191.96.207.180
                                Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                • 191.96.207.180
                                file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                                • 179.61.228.98
                                mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                                • 45.151.195.118
                                arm7.elfGet hashmaliciousMiraiBrowse
                                • 185.37.230.233

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                MD5:DA1F22117B9766A1F0220503765A5BA5
                                SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e.................................R..............@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kd2fd5ey.qiu.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxxvivap.sdx.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.7327858222885704
                                Encrypted:false
                                SSDEEP:48:rZDOlUtyZ3CyQU2UuIyukvhkvklCywdchltzlHJ8KSogZo98hltzlt8KSogZop1:tOZ3CKTBkvhkvCCtOhltzCHlhltzaHK
                                MD5:D8A3F4E65D9F35604B26B57B7EB25709
                                SHA1:B7757806C30E1A9C69CF1FCC3C08BF59BB6C2704
                                SHA-256:875928EFADD5DD50B0ABEA929151D7DDFD9B9CFB9CE3DF1ED9752B93EFF99A17
                                SHA-512:7595AEE3CF0A07411EF8D4065C503E3F86AEDFDCAE4B65E62DB06F8C3C9D4F9BCC38D5DF15C85349A7D087BA67E3A01AA3FE0D632BDC82DF15BF5654957E7B04
                                Malicious:false
                                Reputation:low
                                Preview:...................................FL..................F.".. ...J.S....w#.....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...........c/.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<28Y.............................^.A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......EW<28Y....../.....................F...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<28Y.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<28Y.....2.....................6...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<28Y.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<28Y.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<28Y......u...........

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UEK2DMRH2GD3AT5SXHI3.temp

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6224
                                Entropy (8bit):3.7327858222885704
                                Encrypted:false
                                SSDEEP:48:rZDOlUtyZ3CyQU2UuIyukvhkvklCywdchltzlHJ8KSogZo98hltzlt8KSogZop1:tOZ3CKTBkvhkvCCtOhltzCHlhltzaHK
                                MD5:D8A3F4E65D9F35604B26B57B7EB25709
                                SHA1:B7757806C30E1A9C69CF1FCC3C08BF59BB6C2704
                                SHA-256:875928EFADD5DD50B0ABEA929151D7DDFD9B9CFB9CE3DF1ED9752B93EFF99A17
                                SHA-512:7595AEE3CF0A07411EF8D4065C503E3F86AEDFDCAE4B65E62DB06F8C3C9D4F9BCC38D5DF15C85349A7D087BA67E3A01AA3FE0D632BDC82DF15BF5654957E7B04
                                Malicious:false
                                Preview:...................................FL..................F.".. ...J.S....w#.....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...........c/.........t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<28Y.............................^.A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......EW<28Y....../.....................F...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<28Y.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<28Y.....2.....................6...W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<28Y.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<28Y.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<28Y......u...........

                                Static File Info

                                General

                                File type:ASCII text, with very long lines (65526), with CRLF line terminators
                                Entropy (8bit):3.124818912023792
                                TrID:
                                  File name:84Z63SyEQ7.ps1
                                  File size:329'783 bytes
                                  MD5:1c46bfc607b523389fcc8bd1d3407f84
                                  SHA1:6f187008fffde9d48ba4c591e5965ea2906bed3d
                                  SHA256:fc80cb0479aa75176137ece45d778fb4631b7aaaf294e9bd2640b56c686643bb
                                  SHA512:dad58a75c8eef2cc756d202f8e90a4d6a58f173dd3838324be4ad14d8abb50e20f886b89e8dd3d2a9e406215896dd9650aa91e5d9da813319604e2034db23d31
                                  SSDEEP:3072:HL3D5WXtWVH44LhC8z60U4h3mSvsgTUfWwLC5ImBK5W9Fp81fABAUvetcTnZm:v5W0H44LhC87TUOwqYyfbg
                                  TLSH:C564CC898537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF379C1A25D50589FBDDA1
                                  File Content Preview:try..{....$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54

                                  File Icon

                                  Icon Hash:3270d6baae77db44

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-24T19:24:26.644038+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:24:26.817842+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:26.870741+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:24:32.899730+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:32.899730+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:39.062028+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:39.073363+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:24:51.653604+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:51.656316+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:24:51.656861+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:02.894554+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:02.894554+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:03.561380+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:03.563323+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:15.811499+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:15.814071+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:26.324631+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:26.332535+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:32.877186+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:32.877186+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:33.487018+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:33.492913+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:37.545843+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:37.577009+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:39.343159+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:39.344834+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:42.671236+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:42.673337+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:53.107228+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:53.115374+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:53.218034+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:53.219781+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:53.305750+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:53.398167+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:53.400183+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:25:58.718840+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:25:58.720912+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:02.902771+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:02.902771+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:08.671188+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:08.674371+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:08.979804+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:08.981775+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:09.105032+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:09.107168+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:09.467868+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:09.472324+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:14.903524+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:15.278052+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:15.280343+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:20.732013+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:20.734284+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:22.657089+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:22.658696+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:25.530128+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:25.541196+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:29.985575+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:29.991426+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:30.760723+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:30.762241+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:30.860403+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:30.861844+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:33.062648+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:33.062648+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:33.140732+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:33.140732+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:36.769681+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:36.785373+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:36.870953+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:36.872686+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:36.971000+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:36.972442+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:37.080175+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:37.081706+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:37.352873+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:37.354521+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:37.479781+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:37.481183+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:26:49.627657+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:26:49.630042+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:01.875888+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:01.877504+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:02.895217+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:02.895217+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:09.230503+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:09.233437+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:11.483815+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:11.485486+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:13.795808+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:13.797724+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:14.655732+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:14.657329+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:15.184090+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:15.185755+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:21.922348+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:21.924061+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:23.585574+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:23.587318+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:29.421109+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:29.423308+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:32.888558+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:32.888558+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:34.313786+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:34.315423+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.390069+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.393018+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.480306+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.483419+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.576963+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.581630+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.652221+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.654039+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.747754+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.749616+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.843024+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.844645+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:44.936341+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:44.938126+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:48.640042+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:48.647336+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:49.846197+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:49.848024+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:27:58.815359+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:27:58.818389+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:28:01.301630+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:28:01.302346+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649717191.96.207.18050000TCP
                                  2024-09-24T19:28:01.303044+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:28:02.917782+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.649717TCP
                                  2024-09-24T19:28:02.917782+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.649717TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 24, 2024 19:24:14.197343111 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:14.202476025 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:14.202591896 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:14.391972065 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:14.564551115 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:26.644037962 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:26.648808956 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:26.817842007 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:26.870740891 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:26.875570059 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:32.899729967 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:32.950088024 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:38.888098001 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:38.893321991 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:39.062027931 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:39.073363066 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:39.078344107 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:51.137872934 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:51.143145084 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:51.653604031 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:51.656316042 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:24:51.656372070 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:51.656861067 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:24:51.677376986 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:02.894553900 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:02.950110912 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:03.387849092 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:03.392756939 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:03.561379910 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:03.563323021 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:03.568239927 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:15.637944937 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:15.642857075 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:15.811499119 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:15.814070940 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:15.820600033 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:26.012799978 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:26.156225920 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:26.324630976 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:26.332535028 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:26.337327003 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:32.877186060 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:32.918786049 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:33.313189983 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:33.318329096 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:33.487018108 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:33.492913008 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:33.497823954 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:37.372148991 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:37.377171993 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:37.545842886 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:37.577008963 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:37.581903934 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:39.169101954 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:39.173974991 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:39.343158960 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:39.344834089 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:39.349787951 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:42.497354031 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:42.502310991 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:42.671236038 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:42.673336983 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:42.678412914 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:52.887830973 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:52.938796043 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:52.938851118 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:52.943609953 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:52.950406075 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:52.957299948 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:52.965945959 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:52.971525908 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:52.981676102 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:52.986538887 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.107228041 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.115374088 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.120307922 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.169137955 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.174443007 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.218034029 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.219780922 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.224648952 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.303684950 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.305749893 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.311095953 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.311153889 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.316169977 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.398166895 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:53.400182962 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:53.405112028 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:58.544210911 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:58.550038099 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:58.718839884 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:25:58.720911980 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:25:58.726036072 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:02.902770996 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:02.950119019 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.497232914 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.502060890 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.671188116 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.674371004 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.679308891 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.778537035 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.783323050 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.793951988 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.798846006 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.979804039 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:08.981775045 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:08.987090111 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:09.105031967 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:09.107167959 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:09.112005949 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:09.294044971 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:09.298942089 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:09.467868090 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:09.472323895 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:09.477189064 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:14.903523922 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:15.111716032 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:15.278052092 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:15.280343056 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:15.285192966 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:20.169192076 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:20.481270075 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:20.564320087 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:20.564779043 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:20.732012987 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:20.734283924 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:20.739177942 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:22.481554031 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:22.486613989 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:22.657088995 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:22.658695936 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:22.663589001 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:25.356548071 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:25.361404896 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:25.530128002 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:25.541196108 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:25.545969963 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:29.811367035 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:29.816958904 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:29.985574961 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:29.991425991 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:29.996825933 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.559631109 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:30.571309090 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.591052055 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:30.603988886 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.760723114 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.762240887 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:30.771295071 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.860403061 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:30.861844063 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:30.866995096 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:33.062648058 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:33.106268883 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:33.140732050 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:33.140782118 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.528486013 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.573357105 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.575601101 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.607595921 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.607645988 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.623306036 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.747123957 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.769680977 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.785325050 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.785372972 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.824065924 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.870953083 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.872685909 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.919003010 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.970999956 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:36.972441912 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:36.979768038 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.080174923 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.081706047 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:37.092370987 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.122231007 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:37.132421970 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.200447083 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:37.224667072 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.352873087 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.354521036 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:37.372704029 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.479780912 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:37.481183052 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:37.553625107 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:49.450423002 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:49.455301046 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:49.627656937 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:26:49.630042076 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:26:49.635335922 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:01.701915026 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:01.706892014 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:01.875888109 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:01.877504110 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:01.882328033 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:02.895216942 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:02.950021982 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:08.028451920 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:08.340676069 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:08.950084925 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:09.070391893 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:09.070406914 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:09.070449114 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:09.230503082 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:09.233437061 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:09.238329887 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:11.309760094 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:11.314702988 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:11.483814955 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:11.485486031 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:11.490802050 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:13.622132063 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:13.627018929 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:13.795808077 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:13.797724009 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:13.802609921 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:14.481646061 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:14.486681938 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:14.655731916 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:14.657329082 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:14.662102938 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:14.981848955 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:14.986680031 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:15.184089899 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:15.185755014 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:15.190526962 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:21.747807026 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:21.752643108 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:21.922348022 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:21.924061060 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:21.928929090 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:23.341018915 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:23.345885992 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:23.585573912 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:23.587317944 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:23.592144012 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:29.247245073 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:29.252290964 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:29.421108961 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:29.423307896 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:29.428169966 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:32.888557911 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:32.934523106 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:34.122185946 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:34.147551060 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:34.313786030 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:34.315423012 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:34.320261002 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.216075897 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.220829964 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.262924910 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.267725945 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.294337988 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.299163103 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.387830973 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.390069008 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.392965078 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.393018007 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.398206949 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.465979099 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.470834970 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.480305910 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.483418941 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.530867100 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.544045925 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.548933983 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.559705019 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.565218925 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.576962948 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.581629992 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.626708984 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.652220964 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.654038906 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.658852100 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.747754097 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.749615908 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.755800009 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.843024015 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.844645023 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.849515915 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.936341047 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:44.938126087 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:44.942897081 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:48.466072083 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:48.470839024 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:48.640042067 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:48.647336006 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:48.653250933 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:49.669336081 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:49.677615881 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:49.846196890 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:49.848023891 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:49.852859974 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:58.637911081 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:58.645684004 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:58.815359116 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:27:58.818388939 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:27:58.823740005 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:00.887950897 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:28:00.892822981 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:01.301630020 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:01.302345991 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:28:01.303044081 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:01.303100109 CEST4971750000192.168.2.6191.96.207.180
                                  Sep 24, 2024 19:28:01.310250044 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:02.917782068 CEST5000049717191.96.207.180192.168.2.6
                                  Sep 24, 2024 19:28:02.965650082 CEST4971750000192.168.2.6191.96.207.180

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 24, 2024 19:24:14.175878048 CEST5564253192.168.2.61.1.1.1
                                  Sep 24, 2024 19:24:14.186742067 CEST53556421.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 24, 2024 19:24:14.175878048 CEST192.168.2.61.1.1.10x9ba6Standard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 24, 2024 19:24:14.186742067 CEST1.1.1.1192.168.2.60x9ba6No error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:23:51
                                  Start date:24/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\84Z63SyEQ7.ps1"
                                  Imagebase:0x7ff6e3d50000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2313087322.000001A998460000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2280796718.000001A9821C7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2280796718.000001A980368000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2280796718.000001A981B65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:13:23:51
                                  Start date:24/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff66e660000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:13:24:05
                                  Start date:24/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x90000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:13:24:05
                                  Start date:24/09/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  Imagebase:0x5d0000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.4591457992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4602231795.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFD347741FA Relevance: 1.8, Strings: 1, Instructions: 554COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 9P_H
                                    • API String ID: 0-2248134334
                                    • Opcode ID: ee434ab78d553616101b35eb3d1e8cdfb717d04baa369858a65846b1619c0228
                                    • Instruction ID: d6d136275b98aa61209ee2d72e6989e523aa28ac87341b588ac62d87e3f9f5e3
                                    • Opcode Fuzzy Hash: ee434ab78d553616101b35eb3d1e8cdfb717d04baa369858a65846b1619c0228
                                    • Instruction Fuzzy Hash: EFF16A7170CA458FE795EB1C88E5AB57BE1FF96310B4440BED1CAC7193DA69B842C780
                                    Function 00007FFD3484251D Relevance: .5, Instructions: 487COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317818616.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34840000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1e6e82fc280b7509b5bc7dfe193fb543cccaddae2bf59ef90d66230bdfe157f
                                    • Instruction ID: 06566fe17a17fcaa0dcb22f66c231ea96bf3f7f533a7503d45d5bb159c0cd0a7
                                    • Opcode Fuzzy Hash: c1e6e82fc280b7509b5bc7dfe193fb543cccaddae2bf59ef90d66230bdfe157f
                                    • Instruction Fuzzy Hash: EAE14931B0DB890FE7999B2858A52B53BD1EF5B354F0801FFD589C72A3DA1DA802C341
                                    Function 00007FFD3477C558 Relevance: .1, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c69d7ba44c123c4b587ec6fc6bcf2f1857e05943df0ac09f0467ee9838addcba
                                    • Instruction ID: 5dfab7c1fb1febb6277a02d0337c9eae453b7c5e8bb2da981f78d312866beffe
                                    • Opcode Fuzzy Hash: c69d7ba44c123c4b587ec6fc6bcf2f1857e05943df0ac09f0467ee9838addcba
                                    • Instruction Fuzzy Hash: F3411970A18A5D8FDF88EF98D8A56EDB7F1FF59305F10016AE509E7291CB35A840CB80
                                    Function 00007FFD3484269E Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317818616.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34840000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f790ad1bca02ed5ddde4fad235ad6059160ef3b60509f9c2bc6fb476304d5d2f
                                    • Instruction ID: 9469051ecfea2a2e5ec9cfacd884a70ae7f565e87bed484d5b17729725da326b
                                    • Opcode Fuzzy Hash: f790ad1bca02ed5ddde4fad235ad6059160ef3b60509f9c2bc6fb476304d5d2f
                                    • Instruction Fuzzy Hash: 2111D332B1CA0A0FEB989B1C54B127A73C2EF8A355B44017FD64EC32A3DE1AE8025304
                                    Function 00007FFD347739B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                    • Instruction ID: 7d4851e2e39aebfbd3225861672050b8a40e95cb72be33ff8f515fabaec94839
                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                    • Instruction Fuzzy Hash: AF01677121CB0C8FD744EF0CE451AB5B7E0FB95364F50056DE58AC3651D636E882CB45
                                    Function 00007FFD3477C0F5 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 810bedd73f5f43de44ed4c0fe52302f8c1b9231732d9433a994c932c43041621
                                    • Instruction ID: 4da285bd7e049f17049083eb19d2838cd48514236442bed6126295019824a058
                                    • Opcode Fuzzy Hash: 810bedd73f5f43de44ed4c0fe52302f8c1b9231732d9433a994c932c43041621
                                    • Instruction Fuzzy Hash: 10012C7091464C9FCF84EF58C859AEA7BF0FF29305F4141AAD409D7261DB35E554CB80
                                    Function 00007FFD348419B6 Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317818616.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34840000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e1754ee4d062b58073ab30dbf83e8c6e6c53113f2715f397d95cf1f228e0a89
                                    • Instruction ID: 165e1239e045e0c78589fdd23afe8614b06c32a4e5b3eb7930b54a44661be9b7
                                    • Opcode Fuzzy Hash: 1e1754ee4d062b58073ab30dbf83e8c6e6c53113f2715f397d95cf1f228e0a89
                                    • Instruction Fuzzy Hash: A1F0E023F0DE5A0AF6A5929C24691F467C1DF9B331B840376D65DD32D7DC0558220285
                                    Function 00007FFD3477C110 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c374fbf35d6e38e32050732a1b414b35d631ea0383f98fd6aa93ae95f330787
                                    • Instruction ID: 9797ff828e7d382d72b9a51e90bed2bf29b6396d9e3a66a8c8cfaf505f6b4d19
                                    • Opcode Fuzzy Hash: 0c374fbf35d6e38e32050732a1b414b35d631ea0383f98fd6aa93ae95f330787
                                    • Instruction Fuzzy Hash: 3BF0C970914A4C9FCF84EF58C899AE97BE0FB68305F40456AA40DD3250DB31A594CB81
                                    Function 00007FFD3477C935 Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f748d57f1e31ab7814b9bf27c6f2afd43c0df518a48e8f5ba2c67efbebfab82
                                    • Instruction ID: 06d8cbac60ce59e4c28ed0b8f53be155ceb93fa70bf887e3cf5b72398d81cef2
                                    • Opcode Fuzzy Hash: 5f748d57f1e31ab7814b9bf27c6f2afd43c0df518a48e8f5ba2c67efbebfab82
                                    • Instruction Fuzzy Hash: 9DE08670F086478FE794DB1488613BDBAA1BF4A318F5082B9D55DD6283CB7D78C45B81

                                    Non-executed Functions

                                    Function 00007FFD34773EF5 Relevance: .2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 091e4bdfaf81f3536d3ccd287288c3ce29d3110ba882f11b2b71beed915f3a8c
                                    • Instruction ID: febefc3187a5b9e254ad1e37514ef21c4e31dcf013b6d06b1b492c1589151ef4
                                    • Opcode Fuzzy Hash: 091e4bdfaf81f3536d3ccd287288c3ce29d3110ba882f11b2b71beed915f3a8c
                                    • Instruction Fuzzy Hash: AC518697B0D6929BE312966CA8F60FA3FA4DF8327874941B3C5C4CA093ED4C6457E291
                                    Function 00007FFD34773F53 Relevance: .2, Instructions: 181COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 834e72ea9f2c8ff07cddc07d9022d4c6943586f903704c612cf7259705d77ad8
                                    • Instruction ID: dfd486d58c3e78274fb81af70adf0e85a05b013e74020a3ac882e4531f41a581
                                    • Opcode Fuzzy Hash: 834e72ea9f2c8ff07cddc07d9022d4c6943586f903704c612cf7259705d77ad8
                                    • Instruction Fuzzy Hash: C5517797B0D6929BE311966CA8F70EA3BD4EF8327974941B3C5C4CE053EE4C245BA191
                                    Function 00007FFD34773CFA Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2a95042896308847050c1cb98808dd8c323ae23d47a804f919ab4a3b9ecd2ec
                                    • Instruction ID: ba192e55ae129818f356130a2939bf5f9364632a23269c9cd716dd82edd910ae
                                    • Opcode Fuzzy Hash: b2a95042896308847050c1cb98808dd8c323ae23d47a804f919ab4a3b9ecd2ec
                                    • Instruction Fuzzy Hash: 8941A68BB0D6D29AE653012D5CB60E93F94DE93225B49C4F7C6C4CA0939E4D2C4BE2A1
                                    Function 00007FFD347740F2 Relevance: .1, Instructions: 138COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 170767ba62aa69aa0b433d59968b346c62ac043114502eccd03894daac53af0f
                                    • Instruction ID: bc8e65e1f2add1dd5e16a6cab6b729a927c38035f8381ddd1da47dddd1b0b808
                                    • Opcode Fuzzy Hash: 170767ba62aa69aa0b433d59968b346c62ac043114502eccd03894daac53af0f
                                    • Instruction Fuzzy Hash: 1141979BA0D6D29BE752962C5CF61E63FE4DFA326474940B7C6C4CE053D94C38079391
                                    Function 00007FFD3477DCFD Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: &$5N_H$:$L
                                    • API String ID: 0-3132655339
                                    • Opcode ID: bab9552f3434c665ba4009095b1a7427e62bac2627865d672c0678b9afe93a7e
                                    • Instruction ID: 365952076aa68b589bec3b8d6606181e177b7db8199310fa470cc50bcfd03b3d
                                    • Opcode Fuzzy Hash: bab9552f3434c665ba4009095b1a7427e62bac2627865d672c0678b9afe93a7e
                                    • Instruction Fuzzy Hash: 6A513CB0E14A19CFEBA4DF08CCA57A8B7A5EB99301F4080F9D50DD7291DE796E818F40
                                    Function 00007FFD3477F403 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2317277073.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "$8$@$L
                                    • API String ID: 0-426383896
                                    • Opcode ID: 8daa0285c72165cb1127256613fe5349c27f4b63a902e79ad49212e805683722
                                    • Instruction ID: d2a5b34829077ca1372360c55d0fb45b2a46aabb4679e16b36158c6e3a39ce3c
                                    • Opcode Fuzzy Hash: 8daa0285c72165cb1127256613fe5349c27f4b63a902e79ad49212e805683722
                                    • Instruction Fuzzy Hash: 3A216D70A08619CFDB64DF04C8A87A8B7B1EF8A305F5041EDD50DDB291CBBA6980CF85

                                    Execution Graph

                                    Execution Coverage:16.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:57
                                    Total number of Limit Nodes:7
                                    execution_graph 12083 26f18e0 12084 26f18e4 12083->12084 12088 26f1bc9 12084->12088 12093 26f1d40 12084->12093 12098 26f1ce0 12084->12098 12090 26f1bd0 12088->12090 12089 26f1cde 12089->12084 12090->12089 12103 26f2168 12090->12103 12108 26f2178 12090->12108 12095 26f1cb7 12093->12095 12094 26f1cde 12094->12084 12095->12094 12096 26f2168 3 API calls 12095->12096 12097 26f2178 3 API calls 12095->12097 12096->12095 12097->12095 12099 26f1cb7 12098->12099 12100 26f1cde 12099->12100 12101 26f2168 3 API calls 12099->12101 12102 26f2178 3 API calls 12099->12102 12100->12084 12101->12099 12102->12099 12104 26f216c 12103->12104 12113 26f2c45 12104->12113 12118 26f2d65 12104->12118 12105 26f227e 12105->12105 12109 26f219d 12108->12109 12111 26f2c45 3 API calls 12109->12111 12112 26f2d65 3 API calls 12109->12112 12110 26f227e 12111->12110 12112->12110 12114 26f2c55 12113->12114 12115 26f3062 12114->12115 12123 26f79e8 12114->12123 12127 26f79f8 12114->12127 12115->12105 12119 26f2db5 12118->12119 12120 26f3062 12119->12120 12121 26f79e8 3 API calls 12119->12121 12122 26f79f8 3 API calls 12119->12122 12120->12105 12121->12120 12122->12120 12124 26f79dc 12123->12124 12124->12123 12131 26f7c80 12124->12131 12125 26f7a7f 12125->12115 12128 26f7a1d 12127->12128 12130 26f7c80 3 API calls 12128->12130 12129 26f7a7f 12129->12115 12130->12129 12135 26f80bb 12131->12135 12143 26f80c8 12131->12143 12132 26f7c9e 12132->12125 12136 26f80fd 12135->12136 12137 26f80d5 12135->12137 12151 26f7cb8 12136->12151 12137->12132 12139 26f811e 12139->12132 12141 26f81e6 GlobalMemoryStatusEx 12142 26f8216 12141->12142 12142->12132 12144 26f80fd 12143->12144 12145 26f80d5 12143->12145 12146 26f7cb8 GlobalMemoryStatusEx 12144->12146 12145->12132 12148 26f811a 12146->12148 12147 26f811e 12147->12132 12148->12147 12149 26f81e6 GlobalMemoryStatusEx 12148->12149 12150 26f8216 12149->12150 12150->12132 12152 26f81a0 GlobalMemoryStatusEx 12151->12152 12154 26f811a 12152->12154 12154->12139 12154->12141

                                    Executed Functions

                                    Function 026F80C8 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Memory Dump Source
                                    • Source File: 00000004.00000002.4601506616.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_26f0000_RegSvcs.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 972a3bb3f34ddb37deb1e8cbe5098e68527ef7f01ea620439137e547371b624b
                                    • Instruction ID: f620cf44a118f36e59f8f96af395c1139886a5a81bca3a439927bf76576c3058
                                    • Opcode Fuzzy Hash: 972a3bb3f34ddb37deb1e8cbe5098e68527ef7f01ea620439137e547371b624b
                                    • Instruction Fuzzy Hash: F441F132D0475A8FCB04DFA9D8446AEFBF1EF89310F1486AAD504A7351DB74A845CBE0
                                    Function 026F8198 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 39 26f8198-26f819c 40 26f819e 39->40 41 26f81a9-26f81de 39->41 42 26f81a5-26f81a6 40->42 43 26f81a0-26f81a4 40->43 44 26f81e6-26f8214 GlobalMemoryStatusEx 41->44 42->41 43->42 45 26f821d-26f8245 44->45 46 26f8216-26f821c 44->46 46->45
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,026F811A), ref: 026F8207
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.4601506616.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_26f0000_RegSvcs.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 97b95b71d33b4c8a3200e01d669f7a7ab58f4eb08bbeb81b82eaf7f409f6712b
                                    • Instruction ID: d22aa3f399769cfb0608e983de627b711d4877a26eca224f8fc0c8b290cb3031
                                    • Opcode Fuzzy Hash: 97b95b71d33b4c8a3200e01d669f7a7ab58f4eb08bbeb81b82eaf7f409f6712b
                                    • Instruction Fuzzy Hash: 231106B1C0065ADBDB10CF9AC544BDEFBB4AF48324F10815AD518B7250D778A954CFE5
                                    Function 026F7CB8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 30 26f7cb8-26f8214 GlobalMemoryStatusEx 35 26f821d-26f8245 30->35 36 26f8216-26f821c 30->36 36->35
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,026F811A), ref: 026F8207
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.4601506616.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_26f0000_RegSvcs.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 516e1fae23b1777d0b05046300aeeb09613d65c9f1606977967020b358ced2d4
                                    • Instruction ID: 4bcd75f44458f3cbb91301f3881a325685cc57305cc562de7b12d202b2b40d87
                                    • Opcode Fuzzy Hash: 516e1fae23b1777d0b05046300aeeb09613d65c9f1606977967020b358ced2d4
                                    • Instruction Fuzzy Hash: D51106B1C0065ADFDB10DF9AC5447DEFBF4AF48220F10816AE518A7240D778A954CFE5